Re: Does the current ucspi-tcp support hostnames in tcp.smtp?

Wed, 18 Apr 2001 09:47:52 -0700 

Charles Cazabon <[EMAIL PROTECTED]> writes:

> Chris Johnson <[EMAIL PROTECTED]> wrote:
> > On Tue, Apr 17, 2001 at 05:57:52PM -0700, Frank Precissi wrote:
> > > My question: Does ucspi-tcp support hostnames?  If so, would they be 
> > > added as:
> > > 
> > > domain.com:allow,RELAYCLIENT=""
> > > or
> > > .domain.com:allow,RELAYCLIENT=""
> > 
> > I would guess that this would work. To confirm it, I'd try it and see what
> > happens.

This is not the correct syntax.

>From http://cr.yp.to/ucspi-tcp/tcprules.html (I've marked hostname
related rules with a *):

    Addresses

    tcpserver looks for rules with various addresses:
    
       1. $TCPREMOTEINFO@$TCPREMOTEIP, if $TCPREMOTEINFO is set;
   *   2. $TCPREMOTEINFO@=$TCPREMOTEHOST, if $TCPREMOTEINFO is set and
          $TCPREMOTEHOST is set;
       3. $TCPREMOTEIP;
   *   4. =$TCPREMOTEHOST, if $TCPREMOTEHOST is set;
       5. shorter and shorter prefixes of $TCPREMOTEIP ending with a dot;
   *   6. shorter and shorter suffixes of $TCPREMOTEHOST starting with
          a dot, preceded by =, if $TCPREMOTEHOST is set;
   *   7. =, if $TCPREMOTEHOST is set; and finally
       8. the empty string.
    
    tcpserver uses the first rule it finds. You should use the -p
    option to tcpserver if you rely on $TCPREMOTEHOST here.

We use

    =.domain.com:allow,RELAYCLIENT=""
    =domain.com:allow,RELAYCLIENT=""

to allow anything ending with "domain.com" to relay, and also allow
the machine named "domain.com" itself to relay.

> I've never used this feature either, but the original poster should
> beware that allowing relaying based on hostname is insecure; the
> sender does (or can) have control over their reverse DNS resolution,
> and can therefore make their IP address resolve to a hostname in
> your domain, and proceed to spam the internet silly through your
> system.  You then get added to ORBS, RBL, RSS, etc.

Use the "-p" option to prevent this.  It checks the reverse DNS to get
a hostname, then looks up the hostname to make sure that one of the
addresses is the original address.  It takes care of the issue above.

>From http://cr.yp.to/ucspi-tcp/tcpserver.html:

    * -p: Paranoid. After looking up the remote host name in DNS, look
       up the IP addresses in DNS for that host name, and remove the
       environment variable $TCPREMOTEHOST if none of the addresses
       match the client's IP address.

    * -P: (Default.) Not paranoid.

------ScottG.

Reply via email to