[Pkg-exim4-users] Use of primary_hostname with visiblename
ross at biostat.ucsf.edu
Thu Oct 19 04:22:15 UTC 2006
On Wed, Oct 18, 2006 at 06:22:00PM +0200, Marc Haber wrote:
> On Wed, Oct 18, 2006 at 11:16:27AM -0400, Bill Horne wrote:
> > Marc Haber wrote:
> > >Hi,
> > >
> > >On Wed, Oct 18, 2006 at 09:01:10AM -0400, Bill Horne wrote:
> > >
> > >>Because I have been trading emails with a system that demands perfect
> > >>forward/backward lookups on HELO info, I've changed the primary_hostname
> > >>of my Exim4 installation.
> > >>
> > >>I have Linux setup as billhorne.homelinux.org, but because that name
> > >>doesn't match the MX record assigned to my IP address, another MTA is
> > >>refusing to accept my mail. Ergo, I have forced Exim to use the A record
> > >>assigned by my ISP.
> > >>
> > >
> > >A host checking that a message coming in from the MX host of the
> > >domain is fundamentally broken.
I can't parse that last sentence. Is the meaning
A host checking that a message coming in from A DOMAIN IS FROM
the MX host of the domain is fundamentally broken.
? Then the issue is that outgoing mail need not come from machines
marked as MX hosts (which are for incoming mail). In that case I
understand. I also don't think I'm doing any such tests myself.
> > >That host is going to miss a _lot_ of
> > >mail.
> > >
> > Sorry, I made a mistake: the MTA in question is checking the PTR record,
> > not the MX record. As I understand it, most MTA's check only for the
> > _existence_ of a PTR record, not whether it matches the A record, but
> > this one is rejecting emails if the A record doesn't match the PTR.
> That's still fundamentally broken.
I'm not sure what the fundamentally broken thing is, but I have a
feeling I'm doing it. My guess about what this means appears below.
> Your MX points to an IP address,
> and that IP address has a PTR record and the A record to that PTR
> record's contents points back to the IP address.
> That's perfectly fine. My setup is the same:
> [1/500]mh at scyw00225:~$ host -t mx zugschlus.de
> zugschlus.de mail is handled by 30 mailgate2.zugschlus.de.
> zugschlus.de mail is handled by 10 mailgate.zugschlus.de.
> zugschlus.de mail is handled by 20 q.bofh.de.
> [2/501]mh at scyw00225:~$ host mailgate.zugschlus.de.
> mailgate.zugschlus.de has address 126.96.36.199
> [3/502]mh at scyw00225:~$ host 188.8.131.52
> 184.108.40.206.in-addr.arpa domain name pointer torres.zugschlus.de.
> [4/503]mh at scyw00225:~$ host torres.zugschlus.de.
> torres.zugschlus.de has address 220.127.116.11
> [5/504]mh at scyw00225:~$
So the issue I see here is that if you send mail from
mailgate.zugschlus.de, the reverse IP lookup finds a different name
(torres.zugschlus.de), so remote servers checking for agreement will
reject the message. I think that's the behavior that is described as
In an effort to fight spam, I reject messages when
verify = helo
fails, which I believe would happen in the previous scenario.
I realize this is fairly draconian, but the previous discussion is
making me wonder if it's totally out of line. Relatively little mail
goes directly to my system anyway (in fact, a relatively good rule is
that, if I'm receiving it directly, it's spam).
> > >In your case, I'd use your ISP's smarthost since a lot of hosts don't
> > >accept messages delivered directly from residential DSL connections.
> > >
> > My IP is in a fixed block, and is not marked portable, i.e., it does NOT
> > show in any of the RBL's as a "dynamic" IP. I won't use the smarthost,
> > because Speakeasy has asked its users not to point MTAs at their
> > smarthost.
> Is there a single DSL provider in the US with even a remote clue?
I use Raw Bandwidth, and they have expressed no concern about using
their smarthost. I do have a static IP. Among other defects of
sending direct from my machine is that mentioned at the start of this
thread: the name (actually names) that I think are the names of my
machine are not what a reverse lookup on my IP address will return.
Like the original poster, the reverse lookup gets a cyptic name made
up by my ISP. In other words, a server setup exactly like mine would
reject email from me (if sent directly from my system)!
> > Given that I have a fixed IP and a PTR record, I had thought I was in
> > compliance with the generally-accepted practice, but I'll take this
> > opportunity to ask if "A" and "PTR" records are supposed to match
> > even though the domain name in my HELO pointed to the IP I was using.
> I think that the PTR record should have a matching A record, but in
> generall I wouldn't require that the host name pointed to by the MX
> record matches the PTR record.
As a mail receiver, I think I pass this test.
As a sender, I pass it too (as long as the MX test is left out).
> > This is, of course, a very common setup: I use dyndns.org to provide me
> > free DNS service, and my proprietary domain names (e.g., billhorne.com)
> > are forwarded to the billhorne.homelinux.org domain provided by dyndns.org.
> Agreed. I think that your remote side is fundamentally broken. They
> would reject mail from me as well.
More information about the Pkg-exim4-users