Pkg exim4 users - Oct 2006 - Use of primary_hostname with visiblename

Because I have been trading emails with a system that demands perfect
forward/backward lookups on HELO info, I''ve changed the
primary_hostname
of my Exim4 installation. 

I have Linux setup as billhorne.homelinux.org, but because that name
doesn''t match the MX record assigned to my IP address, another MTA is
refusing to accept my mail. Ergo, I have forced Exim to use the A record
assigned by my ISP.

Since I want those I write to see "billhorne.homelinux.org" in my
email
address, and not "dsl092-086-246.bos1.dsl.speakeasy.nyet"I also set
the
"visiblename" option in update-exim4.conf.conf so that my
"from" domain
would remain billhorne.homelinux.org, ran the update-exim4.conf and
restarted the MTA, but the change had no effect. However, when I put
in /etc/mailname and put billhorne.homelinux.org into that file, the
"From" addresses came out correctly.

Please tell me why visiblename isn''t being set from the
update-exim4.conf.conf file. TIA.

Debian Sarge, Exim 4.50

Bill Horne

Hi,

On Wed, Oct 18, 2006 at 09:01:10AM -0400, Bill Horne
wrote:
> Because I have been trading emails with a system that demands perfect
> forward/backward lookups on HELO info, I''ve changed the
primary_hostname
> of my Exim4 installation. 
> 
> I have Linux setup as billhorne.homelinux.org, but because that name
> doesn''t match the MX record assigned to my IP address, another MTA
is
> refusing to accept my mail. Ergo, I have forced Exim to use the A record
> assigned by my ISP.
A host checking that a message coming in from the MX host of the
domain is fundamentally broken. That host is going to miss a _lot_ of
mail.
> Since I want those I write to see "billhorne.homelinux.org" in my
email
> address, and not "dsl092-086-246.bos1.dsl.speakeasy.nyet"I also
set the
> "visiblename" option in update-exim4.conf.conf so that my
"from" domain
> would remain billhorne.homelinux.org, ran the update-exim4.conf and
> restarted the MTA, but the change had no effect.
The visible name is only used if exim is configured to hide the mail
name.

In your case, I''d use your ISP''s smarthost since a lot of
hosts don''t
accept messages delivered directly from residential DSL connections.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Marc Haber wrote:
> Hi,
>
> On Wed, Oct 18, 2006 at 09:01:10AM -0400, Bill Horne wrote:
>   
>> Because I have been trading emails with a system that demands perfect
>> forward/backward lookups on HELO info, I''ve changed the
primary_hostname
>> of my Exim4 installation. 
>>
>> I have Linux setup as billhorne.homelinux.org, but because that name
>> doesn''t match the MX record assigned to my IP address, another
MTA is
>> refusing to accept my mail. Ergo, I have forced Exim to use the A
record
>> assigned by my ISP.
>>     
>
> A host checking that a message coming in from the MX host of the
> domain is fundamentally broken. That host is going to miss a _lot_ of
> mail.
>   
Sorry, I made a mistake: the MTA in question is checking the PTR record, 
not the MX record. As I understand it, most MTA''s check only for the 
_existence_ of a PTR record, not whether it matches the A record, but 
this one is rejecting emails if the A record doesn''t match the
PTR.
>   
>> Since I want those I write to see "billhorne.homelinux.org"
in my email
>> address, and not "dsl092-086-246.bos1.dsl.speakeasy.nyet"I
also set the
>> "visiblename" option in update-exim4.conf.conf so that my
"from" domain
>> would remain billhorne.homelinux.org, ran the update-exim4.conf and
>> restarted the MTA, but the change had no effect.
>>     
>
> The visible name is only used if exim is configured to hide the mail
> name.
>   
That''s good to know, thanks. I''ll leave it as-is, since
I''m getting the
result I wanted.
> In your case, I''d use your ISP''s smarthost since a lot of
hosts don''t
> accept messages delivered directly from residential DSL connections.
>   
My IP is in a fixed block, and is not marked portable, i.e., it does NOT 
show in any of the RBL''s as a "dynamic" IP. I won''t
use the smarthost,
because Speakeasy has asked its users not to point MTAs at their 
smarthost. Given that I have a fixed IP and a PTR record, I had thought 
I was in compliance with the generally-accepted practice, but I''ll take
this opportunity to ask if "A" and "PTR" records are
supposed to match
even though the domain name in my HELO pointed to the IP I was using.

This is, of course, a very common setup: I use dyndns.org to provide me 
free DNS service, and my proprietary domain names (e.g., billhorne.com) 
are forwarded to the billhorne.homelinux.org domain provided by dyndns.org.

Bill Horne

-- 
"Only mediocrities are at their best all the time"

On Wed, Oct 18, 2006 at 11:16:27AM -0400, Bill Horne
wrote:
> Marc Haber wrote:
> >Hi,
> >
> >On Wed, Oct 18, 2006 at 09:01:10AM -0400, Bill Horne wrote:
> >  
> >>Because I have been trading emails with a system that demands
perfect
> >>forward/backward lookups on HELO info, I''ve changed the
primary_hostname
> >>of my Exim4 installation. 
> >>
> >>I have Linux setup as billhorne.homelinux.org, but because that
name
> >>doesn''t match the MX record assigned to my IP address,
another MTA is
> >>refusing to accept my mail. Ergo, I have forced Exim to use the A
record
> >>assigned by my ISP.
> >>    
> >
> >A host checking that a message coming in from the MX host of the
> >domain is fundamentally broken. That host is going to miss a _lot_ of
> >mail.
> >  
> 
> Sorry, I made a mistake: the MTA in question is checking the PTR record, 
> not the MX record. As I understand it, most MTA''s check only for
the
> _existence_ of a PTR record, not whether it matches the A record, but 
> this one is rejecting emails if the A record doesn''t match the
PTR.
That''s still fundamentally broken. Your MX points to an IP address,
and that IP address has a PTR record and the A record to that PTR
record''s contents points back to the IP address.

That''s perfectly fine. My setup is the same:

[1/500]mh@scyw00225:~$ host -t mx zugschlus.de
zugschlus.de mail is handled by 30 mailgate2.zugschlus.de.
zugschlus.de mail is handled by 10 mailgate.zugschlus.de.
zugschlus.de mail is handled by 20 q.bofh.de.
[2/501]mh@scyw00225:~$ host mailgate.zugschlus.de.
mailgate.zugschlus.de has address 85.10.211.154
[3/502]mh@scyw00225:~$ host 85.10.211.154
154.211.10.85.in-addr.arpa domain name pointer torres.zugschlus.de.
[4/503]mh@scyw00225:~$ host torres.zugschlus.de.
torres.zugschlus.de has address 85.10.211.154
[5/504]mh@scyw00225:~$
> >In your case, I''d use your ISP''s smarthost since a
lot of hosts don''t
> >accept messages delivered directly from residential DSL connections.
> >  
> My IP is in a fixed block, and is not marked portable, i.e., it does NOT 
> show in any of the RBL''s as a "dynamic" IP. I
won''t use the smarthost,
> because Speakeasy has asked its users not to point MTAs at their 
> smarthost.
Is there a single DSL provider in the US with even a remote clue?
>  Given that I have a fixed IP and a PTR record, I had thought I was in
>  compliance with the generally-accepted practice, but I''ll take
this
>  opportunity to ask if "A" and "PTR" records are
supposed to match
>  even though the domain name in my HELO pointed to the IP I was using.
I think that the PTR record should have a matching A record, but in
generall I wouldn''t require that the host name pointed to by the MX
record matches the PTR record.
> This is, of course, a very common setup: I use dyndns.org to provide me 
> free DNS service, and my proprietary domain names (e.g., billhorne.com) 
> are forwarded to the billhorne.homelinux.org domain provided by dyndns.org.
Agreed. I think that your remote side is fundamentally broken. They
would reject mail from me as well.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

On Wed, Oct 18, 2006 at 06:22:00PM +0200, Marc Haber
wrote:
> On Wed, Oct 18, 2006 at 11:16:27AM -0400, Bill Horne wrote:
> > Marc Haber wrote:
> > >Hi,
> > >
> > >On Wed, Oct 18, 2006 at 09:01:10AM -0400, Bill Horne wrote:
> > >  
> > >>Because I have been trading emails with a system that demands
perfect
> > >>forward/backward lookups on HELO info, I''ve changed
the primary_hostname
> > >>of my Exim4 installation. 
> > >>
> > >>I have Linux setup as billhorne.homelinux.org, but because
that name
> > >>doesn''t match the MX record assigned to my IP
address, another MTA is
> > >>refusing to accept my mail. Ergo, I have forced Exim to use
the A record
> > >>assigned by my ISP.
> > >>    
> > >
> > >A host checking that a message coming in from the MX host of the
> > >domain is fundamentally broken. 
I can''t parse that last sentence.  Is the meaning
  A host checking that a message coming in from A DOMAIN IS FROM
  the MX host of the domain is fundamentally broken.
?  Then the issue is that outgoing mail need not come from machines
marked as MX hosts (which are for incoming mail).  In that case I
understand.  I also don''t think I''m doing any such tests
myself.
> > >That host is going to miss a _lot_ of
> > >mail.
> > >  
> > 
> > Sorry, I made a mistake: the MTA in question is checking the PTR
record,
> > not the MX record. As I understand it, most MTA''s check only
for the
> > _existence_ of a PTR record, not whether it matches the A record, but 
> > this one is rejecting emails if the A record doesn''t match
the PTR.
> 
> That''s still fundamentally broken. 
I''m not sure what the fundamentally broken thing is, but I have a
feeling I''m doing it.  My guess about what this means appears below.
> Your MX points to an IP address,
> and that IP address has a PTR record and the A record to that PTR
> record''s contents points back to the IP address.
> 
> That''s perfectly fine. My setup is the same:
> 
> [1/500]mh@scyw00225:~$ host -t mx zugschlus.de
> zugschlus.de mail is handled by 30 mailgate2.zugschlus.de.
> zugschlus.de mail is handled by 10 mailgate.zugschlus.de.
> zugschlus.de mail is handled by 20 q.bofh.de.
> [2/501]mh@scyw00225:~$ host mailgate.zugschlus.de.
> mailgate.zugschlus.de has address 85.10.211.154
> [3/502]mh@scyw00225:~$ host 85.10.211.154
> 154.211.10.85.in-addr.arpa domain name pointer torres.zugschlus.de.
> [4/503]mh@scyw00225:~$ host torres.zugschlus.de.
> torres.zugschlus.de has address 85.10.211.154
> [5/504]mh@scyw00225:~$
So the issue I see here is that if you send mail from
mailgate.zugschlus.de, the reverse IP lookup finds a different name
(torres.zugschlus.de), so remote servers checking for agreement will
reject the message.  I think that''s the behavior that is described as
"fundamentally broken."

In an effort to fight spam, I reject messages when 
  verify = helo
fails, which I believe would happen in the previous scenario.

I realize this is fairly draconian, but the previous discussion is
making me wonder if it''s totally out of line.  Relatively little mail
goes directly to my system anyway (in fact, a relatively good rule is
that, if I''m receiving it directly, it''s spam).
> 
> > >In your case, I''d use your ISP''s smarthost since
a lot of hosts don''t
> > >accept messages delivered directly from residential DSL
connections.
> > >  
> > My IP is in a fixed block, and is not marked portable, i.e., it does
NOT
> > show in any of the RBL''s as a "dynamic" IP. I
won''t use the smarthost,
> > because Speakeasy has asked its users not to point MTAs at their 
> > smarthost.
> 
> Is there a single DSL provider in the US with even a remote clue?
I use Raw Bandwidth, and they have expressed no concern about using
their smarthost.  I do have a static IP.  Among other defects of
sending direct from my machine is that mentioned at the start of this
thread: the name (actually names) that I think are the names of my
machine are not what a reverse lookup on my IP address will return.
Like the original poster, the reverse lookup gets a cyptic name made
up by my ISP.  In other words, a server setup exactly like mine would
reject email from me (if sent directly from my system)!
> 
> >  Given that I have a fixed IP and a PTR record, I had thought I was in
> >  compliance with the generally-accepted practice, but I''ll
take this
> >  opportunity to ask if "A" and "PTR" records are
supposed to match
> >  even though the domain name in my HELO pointed to the IP I was using.
> 
> I think that the PTR record should have a matching A record, but in
> generall I wouldn''t require that the host name pointed to by the
MX
> record matches the PTR record.
> 
As a mail receiver, I think I pass this test.
As a sender, I pass it too (as long as the MX test is left out).
> > This is, of course, a very common setup: I use dyndns.org to provide
me
> > free DNS service, and my proprietary domain names (e.g.,
billhorne.com)
> > are forwarded to the billhorne.homelinux.org domain provided by
dyndns.org.
> 
> Agreed. I think that your remote side is fundamentally broken. They
> would reject mail from me as well.
> 
> Greetings
> Marc
>

On Thursday 19 October 2006 06:22, Ross Boylan took the opportunity to
say:
> In an effort to fight spam, I reject messages when
>   verify = helo
> fails, which I believe would happen in the previous scenario.
No, verify = helo checks that the HELO name resolves to the remote IP address 
*or* the IP address reverse-resolves to the HELO name (or if the HELO name is 
an IP literal, that it matches the remote address). So verify = helo is sane. 
(Unfortunately some big players, like Hotmail, use HELO names that fail this 
test.)

-- 
Magnus Holmgren        holmgren@lysator.liu.se
                       (No Cc of list mail needed, thanks)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/pkg-exim4-users/attachments/20061019/437205bb/attachment.pgp

On Wed, Oct 18, 2006 at 09:22:15PM -0700, Ross Boylan
wrote:
> On Wed, Oct 18, 2006 at 06:22:00PM +0200, Marc Haber wrote:
> > On Wed, Oct 18, 2006 at 11:16:27AM -0400, Bill Horne wrote:
> > > Marc Haber wrote:
> > > >Hi,
> > > >
> > > >On Wed, Oct 18, 2006 at 09:01:10AM -0400, Bill Horne wrote:
> > > >  
> > > >>Because I have been trading emails with a system that
demands perfect
> > > >>forward/backward lookups on HELO info, I''ve
changed the primary_hostname
> > > >>of my Exim4 installation. 
> > > >>
> > > >>I have Linux setup as billhorne.homelinux.org, but
because that name
> > > >>doesn''t match the MX record assigned to my IP
address, another MTA is
> > > >>refusing to accept my mail. Ergo, I have forced Exim to
use the A record
> > > >>assigned by my ISP.
> > > >>    
> > > >
> > > >A host checking that a message coming in from the MX host of
the
> > > >domain is fundamentally broken. 
> I can''t parse that last sentence.  Is the meaning
>   A host checking that a message coming in from A DOMAIN IS FROM
>   the MX host of the domain is fundamentally broken.
Yes.
> ?  Then the issue is that outgoing mail need not come from machines
> marked as MX hosts (which are for incoming mail).
Yes. MX hosts handle incoming mail (from the recipient domain''s POV).
Outgoing mail (this time from the senders domain''s POV) can be sent
from an arbitrary host. There is no way in well established DNS and
mail procedures to determine whether a given sending host is allowed
to use a domain as sender domain of a message.

There are a number of (half baked) schemes to give that kind of
verification (Domain Keys, SPF, Sender ID et al), but none of them is
widely accepted since they all break some existing features of e-mail,
such as mailing lists and/or mail forwarding.
> > > Sorry, I made a mistake: the MTA in question is checking the PTR
record,
> > > not the MX record. As I understand it, most MTA''s check
only for the
> > > _existence_ of a PTR record, not whether it matches the A record,
but
> > > this one is rejecting emails if the A record doesn''t
match the PTR.
> > 
> > That''s still fundamentally broken. 
> 
> I''m not sure what the fundamentally broken thing is, but I have a
> feeling I''m doing it.  My guess about what this means appears
below.
It seems to be correct.
> > That''s perfectly fine. My setup is the same:
> > 
> > [1/500]mh@scyw00225:~$ host -t mx zugschlus.de
> > zugschlus.de mail is handled by 30 mailgate2.zugschlus.de.
> > zugschlus.de mail is handled by 10 mailgate.zugschlus.de.
> > zugschlus.de mail is handled by 20 q.bofh.de.
> > [2/501]mh@scyw00225:~$ host mailgate.zugschlus.de.
> > mailgate.zugschlus.de has address 85.10.211.154
> > [3/502]mh@scyw00225:~$ host 85.10.211.154
> > 154.211.10.85.in-addr.arpa domain name pointer torres.zugschlus.de.
> > [4/503]mh@scyw00225:~$ host torres.zugschlus.de.
> > torres.zugschlus.de has address 85.10.211.154
> > [5/504]mh@scyw00225:~$
> 
> So the issue I see here is that if you send mail from
> mailgate.zugschlus.de, the reverse IP lookup finds a different name
> (torres.zugschlus.de), so remote servers checking for agreement will
> reject the message.  I think that''s the behavior that is described
as
> "fundamentally broken."
Yes, it is. Fundamentally broken.
> In an effort to fight spam, I reject messages when 
>   verify = helo
> fails, which I believe would happen in the previous scenario.
Probably. I don''t think that it is even allowed to reject based on
HELO. A lot of sites (including myself) do it nevertheless. I, for
example, treat incoming maila s spam if the remote site HELOs with my
own IP address, host name or domain or some well-known
spammer/misconfigured box strings such as "friend" or
"oemcomputer".
> I realize this is fairly draconian, but the previous discussion is
> making me wonder if it''s totally out of line.
I find it totally out of line. You cannot use CNAMEs for MX records,
so the "have a dedicated A record for the generic MX host name in
addition to the ''real'' host name record" is fairly wide
spread.
> Like the original poster, the reverse lookup gets a cyptic name made
> up by my ISP.  In other words, a server setup exactly like mine would
> reject email from me (if sent directly from my system)!
You surely begin to see what''s the issue here ;)

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835