If you want to use host-name-based access control, use $TCPREMOTEHOST
with tcpserver's -p option.
If you just want host names to supplement IP addresses in logs, use
$TCPREMOTEHOST with tcpserver's (default) -P option or with tcp-env.
This is the standard qmail-smtpd configuration.
Mate Wierdl writes:
> I am confused: Dan said using -P to tcpserver is useless.
No. Here's the procedure for looking up the remote host name:
(1) With tcpserver -H, stop here.
(2) Look up the PTR for the incoming IP address.
(3) With tcpserver without -p, stop here.
(4) Look up every A for that PTR. If none of them match the IP
address, discard the PTR.
(5) With tcpserver, or tcpd without PARANOID, stop here.
(6) Drop the connection if there wasn't a match in #2.
I said that #6, tcpd's (default) PARANOID option, is useless: it was
designed to protect against an ancient bug in rlogind, namely that
rlogind did #2 without #4.
I realized later that #6 is useless for a more serious reason: it never
protected against that bug anyway. See the bugtraq archives for details.
#6 also hurts the reliability of mail, thanks to misconfigured hosts and
hard-to-reach DNS servers. Many people have trouble tracing the problem,
since tcpd doesn't take responsibility for its own error messages.
---Dan
