John Rudd writes: > Stuart Johnston wrote: > > John Rudd wrote: > >> Stuart Johnston wrote: > >>> John Rudd wrote: > >>>> 2) This sort of replaces the other set of rules I created, that did > >>>> this with metarules instead of a plugin. This made some of the > >>>> checks less useful. You probably don't need to use both methods. > >>> > >>> So, what is the point of doing this as a plugin instead of using > >>> existing rules? The obvious disadvantage is the additional dns lookups. > >> > >> The advantages are: > >> > >> a) being sure that the hostname in RDNS points back to the IP address > >> you started with. Thus detecting forgeries (which shouldn't happen > >> with _any_ legitimate service) > > > > Postfix does this for you. It is easy enough to write an SA rule to > > look at the Postfix headers. I don't know about other MTAs. > > Sendmail does some of it, but since I didn't find detailed documentation > on the Trusted/Untrusted Relay pseudo-headers, I don't know if its > represented in there. Nor do I know if it's on the meta-information I > can get from permessagestatus when I ask for the untrusted relay entries > (whose hash keys are, I assume, the names of the fields in the > trusted/untrusted relays lines) > > If I could get that same information without the DNS checks, I would. > (though, honestly, with a little more investigation, I can probably > eliminate ONE of my two DNS checks by looking at more of the pseudo-header).
for what it's worth: http://wiki.apache.org/spamassassin/TrustedRelays they were woefully under-documented alright :( now improved. --j. > >> b) just using the rules version of what I wrote, you can only check if > >> the decimal IP address, in individual segments, is in the hostname. > >> You can't check if the entire decimal IP address (one large number) is > >> in the IP address, nor can you check if the hexidecimal segments are > >> in the hostname. > >> > >> > >> (a) requires more DNS work, yes. (b) does not. It just requires a > >> bit more math. > >> > > > > This is just my opinion, of course, but: I'd probably make the plugin > > just do (b). > > > > It might be nice if SA did (a) as part of its standard checks although > > in my experience, way too many legitimate mail servers fail on this for > > it to be useful anyway. > > I have yet to have a legitimate message rejected by that check, when > I've been doing it in mimedefang.