Xavier Beaudouin escreveu:
>
> Because whitelist_dnsname can be..... forged for example.
>
Absolutely not. At least not as easy as you may be thinking. Postfix
only gives the hostname to policyd if the IP has what i call a 'perfect
reverse'. Policyd does not resolve IPs/hosts. That information is passed
by postfix.
'perfect reverse' =
IP resolves to some hostname
**AND**
that hostname resolves to that IP
[EMAIL PROTECTED] ~]# host 65.54.246.241
241.246.54.65.in-addr.arpa domain name pointer
bay0-omc3-s41.bay0.hotmail.com.
[EMAIL PROTECTED] ~]#
[EMAIL PROTECTED] ~]# host bay0-omc3-s41.bay0.hotmail.com
bay0-omc3-s41.bay0.hotmail.com has address 65.54.246.241
[EMAIL PROTECTED] ~]#
Someone can easily forge one of those 2 situations, but surely it's
not that trivial to forge these 2 resolutions. You can forge some of
your IPs for being 'hotmail.com', but you'll not have
something.hotmail.com being your IP that easy.
I think whitelist_dnsname is a highly trustable way of whitelisting
things, because of the 2-way resolution.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
[EMAIL PROTECTED]
My SPAMTRAP, do not email it
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
policyd-users mailing list
policyd-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/policyd-users
