DNS: more arbitrary client/srvr vars
Status: Inactive
Brought to you by:
egoldthorpe
Menu
▾
▴
#16 DNS: more arbitrary client/srvr vars
Client side:
Ability to do multiple RBL lookups
Ability to do more DNS verifications for
connecting hostname, helo name
Ability to check helo for MX records and match
against DNS (I think this is dangerous)
Ability to send arbitrary foo=-1,0,1 values
and equate them in authd rules to
timeout,false,true
server side:
changing parsing of variables; instead of storing
them into specific binary structures, request specific
variables from the structure by name. Only keep doign
the common values into the stored structure.
Logged In: YES
user_id=239889
Arbitrary variables can be tested for true/false/timeout
now.
Client can send in the request:
foo=1 for true; foo=-1 for false; foo=0 for timeout
server rules can test for it:
:foo:true
:foo:false
:foo:timeout
Logged In: YES
user_id=239889
I'm currently leary of doing this for MX or even reverse
DNS validity checks; until I've seen more proof that this
would be beneficial without harmful.
Other comments on this ticket will remain, as they'll be
used for other random stuff.
Logged In: YES
user_id=239889
Date: Tue, 23 Oct 2001 19:21:22 -0700 (PDT)
From: Jason Fesler <jfesler@gigo.com>
To: authd@authd.org
Bcc: Brian Freeman <brian@oopack.com>
Subject: "helo" checking and such
I was recently asked to add in checking for "helo", make
sure that the
strings given there are resolvable. Looking at least at my
own logs,
however, this would do nearly as much harm as good - of the
1% of the mail
that has unresolvable hostnames hitting _my_ system, half
of that mail is
legit but not otherwise triggering any exceptions (and
would be blocked if
I started requiring that HELO be valid).
Anyone have any logs where they think this may
significantly be
helpful, but not harmful? I'd like to do some analysis on
them before
I put the effort in on the code (much less, add it to a
place where
people are likely to shoot their feet off and blame me for
it..).
On a similiar note would be the ability to the reverse DNS
on the
connecting IP. I've had about 5% of the mail sent to my
system have an
unknown host name connecting. 2/3rds of that was refused
for _other_ anti
spam reasons. The remaining one third, nearly all of it is
either
good, or to bad usernames (and being refused by postfix for
having unknown
users). All that said, if you *really* want to refuse
mail from those,
just do a match for "unknown" in the hostname, at least for
postfix.
Other MTA's may have a different representation.
--
--
Jason Fesler <jfesler@gigo.com>
http://gigo.com/resume.html
"Those who give up essential liberties for temporary safety
deserve neither liberty nor safety." - Benjamin Franklin
Logged In: YES
user_id=239889
foo=-1,0,1 is QA'd as of today;
multiple RBL stuff not yet written