On Tue, 24 Nov 2015, RW wrote:
On Tue, 24 Nov 2015 12:03:12 -0800 (PST)
John Hardin wrote:
On Tue, 24 Nov 2015, Reindl Harald wrote:
i would suggest when the Received header for the *first* untrusted
hop
Just so we're clear on first vs. last: the host that submitted the
mail to the most-remote MTA whose headers you trust.
don't contain a reverse dns information *and only then* do that
lookup directly in SA if network tests are enabled
This seems to me a reasonable approach. There's no need to check RDNS
on hops prior to the final untrusted hop (chronologically speaking).
It would be the last relay into the internal network, if it's from an
untrusted server. The edge of the trusted network may be a submission
server.
You don't trust the headers your submission server generates?
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
USMC Rules of Gunfighting #4: If your shooting stance is good,
you're probably not moving fast enough nor using cover correctly.
-----------------------------------------------------------------------
