Re: Relay Checker Plugin (code review please?)

Tue, 31 Oct 2006 20:17:46 -0800 

Stuart Johnston wrote:

John Rudd wrote:

Stuart Johnston wrote:

John Rudd wrote:




2) This sort of replaces the other set of rules I created, that did 
this with metarules instead of a plugin.  This made some of the 
checks less useful.  You probably don't need to use both methods.



So, what is the point of doing this as a plugin instead of using 
existing rules?  The obvious disadvantage is the additional dns lookups.


The advantages are:


a) being sure that the hostname in RDNS points back to the IP address 
you started with.  Thus detecting forgeries (which shouldn't happen 
with _any_ legitimate service)



Postfix does this for you.  It is easy enough to write an SA rule to 
look at the Postfix headers.  I don't know about other MTAs.



Sendmail does some of it, but since I didn't find detailed documentation 
on the Trusted/Untrusted Relay pseudo-headers, I don't know if its 
represented in there.  Nor do I know if it's on the meta-information I 
can get from permessagestatus when I ask for the untrusted relay entries 
(whose hash keys are, I assume, the names of the fields in the 
trusted/untrusted relays lines)



If I could get that same information without the DNS checks, I would. 
(though, honestly, with a little more investigation, I can probably 
eliminate ONE of my two DNS checks by looking at more of the pseudo-header).




b) just using the rules version of what I wrote, you can only check if 
the decimal IP address, in individual segments, is in the hostname.  
You can't check if the entire decimal IP address (one large number) is 
in the IP address, nor can you check if the hexidecimal segments are 
in the hostname.




(a) requires more DNS work, yes.  (b) does not.  It just requires a 
bit more math.





This is just my opinion, of course, but:  I'd probably make the plugin 
just do (b).



It might be nice if SA did (a) as part of its standard checks although 
in my experience, way too many legitimate mail servers fail on this for 
it to be useful anyway.



I have yet to have a legitimate message rejected by that check, when 
I've been doing it in mimedefang.
























					Reply via email to