Discussion:
skip reverse DNS lookup if smtp-authenticated
Konstantin Kletschke
2007-04-02 08:22:17 UTC
Permalink
Hi Folks!

I am stuck with pimping my exim ACLs.

exim is denying in "acl_check_connect:" connections whose reverse dns
lookup fails:

deny message = Warning - Reverse DNS lookup failed for host $sender_host_address.
!verify = reverse_host_lookup
!hosts = xxx.xxx.xxx.xxx

The !hosts is an exception for my friend whose reverse dns lookup will
always fail but he has an fixed ip address.

My customers log in vie smtp-auth and deliver their mails to this exim
as a smarthost. The ussue is, with t-online this check always fails (I
encourage these to use their t-online smarthost), and recently
osnanet.de is not able to let it reverse dns check their dial in
customers correct. What I want to achieve is, that for my customers,
who always do smtp-auth, this check is skipped.

Who can apply such an exception with exim ACLs?

Kind Regards, Konsti
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Mike Cardwell
2007-04-02 08:28:37 UTC
Permalink
Post by Konstantin Kletschke
I am stuck with pimping my exim ACLs.
exim is denying in "acl_check_connect:" connections whose reverse dns
deny message = Warning - Reverse DNS lookup failed for host $sender_host_address.
!verify = reverse_host_lookup
!hosts = xxx.xxx.xxx.xxx
The !hosts is an exception for my friend whose reverse dns lookup will
always fail but he has an fixed ip address.
My customers log in vie smtp-auth and deliver their mails to this exim
as a smarthost. The ussue is, with t-online this check always fails (I
encourage these to use their t-online smarthost), and recently
osnanet.de is not able to let it reverse dns check their dial in
customers correct. What I want to achieve is, that for my customers,
who always do smtp-auth, this check is skipped.
Who can apply such an exception with exim ACLs?
Move the check into the scl_smtp_mail acl rather than the connect acl.
By this point, the client will have authenticated or not and you can
just do:

deny message = Warning - Reverse DNS lookup failed for host $sender_host_address.
!authenticated = *
!verify = reverse_host_lookup
!hosts = xxx.xxx.xxx.xxx

Mike
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Konstantin Kletschke
2007-04-03 06:33:49 UTC
Permalink
Post by Mike Cardwell
Move the check into the scl_smtp_mail acl rather than the connect acl.
Ah okay, this works fine. I wanted to save some traffic to block them
earlier but this is not much savement I suppose. I did not know about
the acl_smtp_mail stage so I did not even know where to move the check
to :-)

Thanks for your help!

Regards, Konsti
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Heiko Schlittermann
2007-04-02 08:32:53 UTC
Permalink
Post by Konstantin Kletschke
Hi Folks!
I am stuck with pimping my exim ACLs.
exim is denying in "acl_check_connect:" connections whose reverse dns
deny message = Warning - Reverse DNS lookup failed for host $sender_host_address.
!verify = reverse_host_lookup
!hosts = xxx.xxx.xxx.xxx
If I remember well: appeareance of 'hosts' acl condition *always* causes
reverse dns lookup and causes some kind of failure if the address can't
be verified. But I'm NOT sure.

You could accept the messages from authenticated clients first.

accept authenticated = *
deny !verify = reverse_host_lookup
--
Heiko
Konstantin Kletschke
2007-04-03 06:35:10 UTC
Permalink
Post by Heiko Schlittermann
You could accept the messages from authenticated clients first.
accept authenticated = *
deny !verify = reverse_host_lookup
As pointed out in the other mail, this works after moving the check to
a later stage after smtp-auth users had a chance to authenticate then
:-)

Regards, Konsti
--
## List details at http://www.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://www.exim.org/eximwiki/
Loading...