[Pkg-exim4-users] Use of primary_hostname with visiblename

Ross Boylan ross at biostat.ucsf.edu
Thu Oct 19 04:22:15 UTC 2006 

On Wed, Oct 18, 2006 at 06:22:00PM +0200, Marc Haber wrote:
> On Wed, Oct 18, 2006 at 11:16:27AM -0400, Bill Horne wrote:
> > Marc Haber wrote:
> > >Hi,
> > >
> > >On Wed, Oct 18, 2006 at 09:01:10AM -0400, Bill Horne wrote:
> > >  
> > >>Because I have been trading emails with a system that demands perfect
> > >>forward/backward lookups on HELO info, I've changed the primary_hostname
> > >>of my Exim4 installation. 
> > >>
> > >>I have Linux setup as billhorne.homelinux.org, but because that name
> > >>doesn't match the MX record assigned to my IP address, another MTA is
> > >>refusing to accept my mail. Ergo, I have forced Exim to use the A record
> > >>assigned by my ISP.
> > >>    
> > >
> > >A host checking that a message coming in from the MX host of the
> > >domain is fundamentally broken. 
I can't parse that last sentence.  Is the meaning
  A host checking that a message coming in from A DOMAIN IS FROM
  the MX host of the domain is fundamentally broken.
?  Then the issue is that outgoing mail need not come from machines
marked as MX hosts (which are for incoming mail).  In that case I
understand.  I also don't think I'm doing any such tests myself.

> > >That host is going to miss a _lot_ of
> > >mail.
> > >  
> > 
> > Sorry, I made a mistake: the MTA in question is checking the PTR record, 
> > not the MX record. As I understand it, most MTA's check only for the 
> > _existence_ of a PTR record, not whether it matches the A record, but 
> > this one is rejecting emails if the A record doesn't match the PTR.
> 
> That's still fundamentally broken. 

I'm not sure what the fundamentally broken thing is, but I have a
feeling I'm doing it.  My guess about what this means appears below.

> Your MX points to an IP address,
> and that IP address has a PTR record and the A record to that PTR
> record's contents points back to the IP address.

> 
> That's perfectly fine. My setup is the same:
> 
> [1/500]mh at scyw00225:~$ host -t mx zugschlus.de
> zugschlus.de mail is handled by 30 mailgate2.zugschlus.de.
> zugschlus.de mail is handled by 10 mailgate.zugschlus.de.
> zugschlus.de mail is handled by 20 q.bofh.de.
> [2/501]mh at scyw00225:~$ host mailgate.zugschlus.de.
> mailgate.zugschlus.de has address 85.10.211.154
> [3/502]mh at scyw00225:~$ host 85.10.211.154
> 154.211.10.85.in-addr.arpa domain name pointer torres.zugschlus.de.
> [4/503]mh at scyw00225:~$ host torres.zugschlus.de.
> torres.zugschlus.de has address 85.10.211.154
> [5/504]mh at scyw00225:~$

So the issue I see here is that if you send mail from
mailgate.zugschlus.de, the reverse IP lookup finds a different name
(torres.zugschlus.de), so remote servers checking for agreement will
reject the message.  I think that's the behavior that is described as
"fundamentally broken."

In an effort to fight spam, I reject messages when 
  verify = helo
fails, which I believe would happen in the previous scenario.

I realize this is fairly draconian, but the previous discussion is
making me wonder if it's totally out of line.  Relatively little mail
goes directly to my system anyway (in fact, a relatively good rule is
that, if I'm receiving it directly, it's spam).

> 
> > >In your case, I'd use your ISP's smarthost since a lot of hosts don't
> > >accept messages delivered directly from residential DSL connections.
> > >  
> > My IP is in a fixed block, and is not marked portable, i.e., it does NOT 
> > show in any of the RBL's as a "dynamic" IP. I won't use the smarthost, 
> > because Speakeasy has asked its users not to point MTAs at their 
> > smarthost.
> 
> Is there a single DSL provider in the US with even a remote clue?

I use Raw Bandwidth, and they have expressed no concern about using
their smarthost.  I do have a static IP.  Among other defects of
sending direct from my machine is that mentioned at the start of this
thread: the name (actually names) that I think are the names of my
machine are not what a reverse lookup on my IP address will return.
Like the original poster, the reverse lookup gets a cyptic name made
up by my ISP.  In other words, a server setup exactly like mine would
reject email from me (if sent directly from my system)!

> 
> >  Given that I have a fixed IP and a PTR record, I had thought I was in
> >  compliance with the generally-accepted practice, but I'll take this
> >  opportunity to ask if "A" and "PTR" records are supposed to match 
> >  even though the domain name in my HELO pointed to the IP I was using.
> 
> I think that the PTR record should have a matching A record, but in
> generall I wouldn't require that the host name pointed to by the MX
> record matches the PTR record.
> 
As a mail receiver, I think I pass this test.
As a sender, I pass it too (as long as the MX test is left out).

> > This is, of course, a very common setup: I use dyndns.org to provide me 
> > free DNS service, and my proprietary domain names (e.g., billhorne.com) 
> > are forwarded to the billhorne.homelinux.org domain provided by dyndns.org.
> 
> Agreed. I think that your remote side is fundamentally broken. They
> would reject mail from me as well.
> 
> Greetings
> Marc
>

More information about the Pkg-exim4-users mailing list