On 2022-08-18 19:40:33 +0100, Martin Gregorie wrote: > - extract the domain name from the incoming mail's From header and use > it to find the domain IP. Use that IP to do a reverse domain lookup. > > - if the reverse lookup fails, or the domain it retrieved does not match > the one in the From address, send a bare 550 REJECT because the failed > reverse lookup implies the sending domain is a forgery.
It doesn't. There are IPs that host several domains, e.g. in case of shared web hosting. For instance, I have 2 domains vinc17.net and vinc17.org, and both are handled by the same machine, thus with a single IP address. So, necessarily, the reverse lookup will not match for one of these domains. BTW, for spamassassin.apache.org, it resolves to 151.101.2.132, but the reverse lookup fails. And anyway, this is about mail, so the only thing that could really be considered is the MX. But the MX domains may be different from the "From:" domain, even if the domain has its own range of IP addresses. For instance: $ dig -t mx ens-lyon.fr [...] ;; ANSWER SECTION: ens-lyon.fr. 6754 IN MX 20 mxc.relay.renater.fr. ens-lyon.fr. 6754 IN MX 20 mxd.relay.renater.fr. ens-lyon.fr. 6754 IN MX 20 mxa.relay.renater.fr. ens-lyon.fr. 6754 IN MX 20 mxb.relay.renater.fr. [...] The only thing that you may want to do is a reverse lookup of the client IP, then check that the answer resolves back to the IP (among the answers, as there may be several IP addresses). -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
