Thanks for reading this: it''s a noob question, but I didn''t find an answer in the FAQ. I have an Exim4 server running Spamassassin, which I''m using to screen spam from an legacy MS Exchange server that my customer isn''t willing to get rid of. Since putting exim/spamassassin online, they''re very pleased with the reduced spam, but they''re reluctant to tell some of their senders to fix their DNS records. So, I''m looking for a workaround. I currently have CHECK_RCPT_REVERS_DNS enabled, and one of the senders is failing this test. I placed the sender domain into CONFDIR/local_host_whitelist, but I''m wondering if there''s a more universal method of solving the issue. Here''s the problem: 1. Sender is not in a dynamic address pool, but doesn''t have a PTR record assigned. 2. Sender has an "A" record from a secondary DNS service, which points to the address in question. 3. I''d like to accept emails which have an "A" record that points to the IP address the email is sent from. Please tell me if this is a good idea, and how to do it if so. All suggestions welcome. Bill -- E. William Horne William Warren Consulting Computer and Network Installation & Service http://www.billhorne.com/ Voice: 781 784-7287 Fax: 781 784-0951
On 2006-05-27 Bill Horne <bill@horne.net> wrote: [...]> Here''s the problem:> 1. Sender is not in a dynamic address pool, but doesn''t have a PTR > record assigned. > 2. Sender has an "A" record from a secondary DNS service, which points > to the address in question. > 3. I''d like to accept emails which have an "A" record that points to the > IP address the email is sent from.[...] To make sure I understand you corectly: Given a IP-address you need to check whether a A record for this IP exists? Afaik that is impossible without reverse DNS, because this is exactly the service reverse DNS provides. cu andreas -- The ''Galactic Cleaning'' policy undertaken by Emperor Zhark is a personal vision of the emperor''s, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken. (c) Jasper Ffforde
On 2006-05-29 Bill Horne <bill@horne.net> wrote:> Andreas Metzler wrote: > >On 2006-05-27 Bill Horne <bill@horne.net> wrote:[...]>> To make sure I understand you corectly: Given a IP-address you need to >> check whether a A record for this IP exists? >> >> Afaik that is impossible without reverse DNS, because this is exactly >> the service reverse DNS provides.[...]> Given a domain name (received from a HELO)The part about comparing HELO/EHLO and IP-address was missing> and an IP address, I need to > know if Exim4 can do a *FORWARD* lookup and compare the IP address (if > any) shown for the domain name against the actual IP address the email > is being sent from.[...] You could use a dnsdb-lookup to get the A records for $sender_helo_name and compare whether $sender_host_address matches any of these. /usr/sbin/exim4 -be ''${if match_ip{131.130.1.35}{${lookup dnsdb{>:a=mx.univie.ac.at}{$value}fail}}{yes}fail}'' (If the mail server is IPv6 connected this would get more complicated.) Just an idea, hth, cu andreas -- The ''Galactic Cleaning'' policy undertaken by Emperor Zhark is a personal vision of the emperor''s, and its inclusion in this work does not constitute tacit approval by the author or the publisher for any such projects, howsoever undertaken. (c) Jasper Ffforde
* Bill Horne:> 1. Sender is not in a dynamic address pool, but doesn''t have a PTR > record assigned. > 2. Sender has an "A" record from a secondary DNS service, which points > to the address in question. > 3. I''d like to accept emails which have an "A" record that points to > the IP address the email is sent from. > > Please tell me if this is a good idea, and how to do it if so. All > suggestions welcome.I use HELO verification for a similar purpose. With the correct HELO argument, a client can provide a better host name than which is available from DNS (automatically generated PTR record, or nothing at all). As Andreas wrote, a true reverse lookup (from IP addresses to A records) is not possible using standard DNS, but partial solutions exist.