Bernd Wurst <[email protected]> writes: > No, it's the other way round. The above metioned check would do a > reverse lookup of the connected IP address and then match the > resulting host name against the HELO name. What I said is to > resolve the HELO name and omit this check if this matches the > connected IP address.
It's only "the other way round" in terms of implementation details (i.e., how you write the code to check for a match). I was thinking more in terms of configuration files and the semantics of the check. Perhaps I didn't express it clearly, but this is what I intended to be saying. I think that's what the guy in the other thread long ago was saying too. In context, he seemed to be saying that the existing HELO check was unsuitable for his needs because it was too strict, and he was desirous of having less-severe options. All of the proposed checks were intended to be strictly more lenient than the existing HELO check. If you read the proposal in that light, it seems obvious that a HELO that resolves to the sending host's IP address would pass. A match is good, and an exact match is at least as good as a partial match, irrespective of exactly you arrive at the conclusion that it matches. If the IP address and the HELO name match exactly, either forwards *or* backwards, then that's at least as good as a partial match (I would say better). So it should pass that check. Which, I think, is approximately what you were advocating, only in different words. You said "skip the check", and I view it as "passing the check", but the outcome is presumably just about the same: we're not going to reject or otherwise penalize the message based on this check, if the HELO is a positive match for the IP address. > (Given that "actual FQDN" is the reverse lookup of the IP address.) Any FQDN that resolves to the correct IP address is also an actual FQDN of the host in question. (The reason you use reverse lookup to check for partial matches is because it provides a way to check for them. I don't know of any obvious and computationally reasonable way to check for partial matches against forwardly-resolved A records. But an exact match is entirely straightforward to verify.) > If I have a home server on a dialup connection, If you are on a dialup connection, your ISP provides a mail server that will relay on your behalf. (You might have to set up authentication of some kind, but that should be no problem.) However, I'm not proposing that your setup should fail the test, because, as discussed above, the A record indicates a match. -- Nathan Eady Galion Public Library ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
