I've researched $TCPREMOTEINFO and "ident lookups". And, for everyone
else's benefit, I included the useful snippets below.
--> My question is, what impact is there on qmail of not having
$TCPREMOTEINFO available?
We are switching to all Cisco Pix firewalls which, unlike our previous
firewalls, all appear to have the IDENT port blocked. Fine, so I put the
"-R" option in my qmail tcpservers, and we're happy again, with no more
26-second delays.
The man pages say qmail-smtpd required $TCPREMOTEINFO, but it doesn't
say how it uses it. Will it show up in the headers somewhere? Is that
were the Received-By header gets the IP-name translation? We want to
make an informed decision, and to do so we need to understand how it
will impact qmail.
Thanks in advance!
Dave
:)
_____________________________
>From Bernstein:
http://cr.yp.to/ucspi-tcp/environment.html
$TCPREMOTEINFO is a connection-specific string supplied by the remote
host via the 931/1413/IDENT/TAP protocol. If no information is
available, $TCPREMOTEINFO is not set. Beware that $TCPREMOTEINFO can
contain arbitrary characters.
>From RFC 1413 "Identification Protocol":
http://andrew2.andrew.cmu.edu/rfc/rfc1413.html
Excerpts:
"The Identification Protocol (a.k.a., "ident", a.k.a., "the Ident
Protocol") provides a means to determine the identity of a user of a
particular TCP connection. Given a TCP port number pair, it returns a
character string which identifies the owner of that connection on the
server's system. The Identification Protocol was formerly called the
Authentication Server Protocol"
"Security Considerations
The information returned by this protocol is at most as
trustworthy as the host providing it OR the organization operating the
host. For example, a PC in an open lab has few if any controls on it to
prevent a user from having this protocol return any identifier the user
wants. Likewise, if the host has been compromised the information
returned may be completely erroneous and misleading.
The Identification Protocol is not intended as an authorization
or access control protocol. At best, it provides some additional
auditing information with respect to TCP connections. At worst, it can
provide misleading, incorrect, or maliciously incorrect information.
The use of the information returned by this protocol for other
than auditing is strongly discouraged. Specifically, using
Identification Protocol information to make access control decisions -
either as the primary method (i.e., no other checks) or as an adjunct to
other methods may result in a weakening of normal host security.
An Identification server may reveal information about users,
entities, objects or processes which might normally be considered
private. An Identification server provides service which is a rough
analog of the CallerID services provided by some phone companies and
many of the same privacy considerations and arguments that apply to the
CallerID service apply to Identification. If you wouldn't run a "finger"
server due to privacy considerations you may not want to run this
protocol. "
Other:
The Ident port is Port 113.
