Loading ...
Sorry, an error occurred while loading the content.

Re: SMTP client host name spoofing

Expand Messages
  • Reindl Harald
    ... why not? * you have a public ip * make a a-record in some domain to this ip * your isp have a ptr for this ip * myhostname = your a-record EHLO/HELO, A,
    Message 1 of 30 , Apr 3, 2011
    • 0 Attachment
      Am 04.04.2011 01:27, schrieb Vincent Lefevre:
      > On 2011-04-01 23:51:39 +0200, mouss wrote:
      >> we're not asking them to resolve their hostname. we're only asking them
      >> to use a "real" name. it's as easy as
      >> myhostname = joe.example.com
      >>
      >> with a "joe.example.com" that exists in DNS.
      >
      > But the purpose of having a host in DNS is to be able to resolve it.
      > I mean: you can't have a real hostname in the DNS if it is on a private
      > network (unreachable because of NAT), can you? Well... I'm not sure.
      > See below

      why not?

      * you have a public ip
      * make a a-record in some domain to this ip
      * your isp have a ptr for this ip
      * myhostname = your a-record

      EHLO/HELO, A, PTR are matching
      where is the problem?
    • Vincent Lefevre
      ... Because strictly speaking, due to NAT, the DNS would lie. I mean that the address would not be the address of the machine sending the mail, but the address
      Message 2 of 30 , Apr 3, 2011
      • 0 Attachment
        On 2011-04-04 01:53:15 +0200, Reindl Harald wrote:
        > > But the purpose of having a host in DNS is to be able to resolve it.
        > > I mean: you can't have a real hostname in the DNS if it is on a private
        > > network (unreachable because of NAT), can you? Well... I'm not sure.
        > > See below
        >
        > why not?

        Because strictly speaking, due to NAT, the DNS would lie. I mean that
        the address would not be the address of the machine sending the mail,
        but the address of the router.

        > * you have a public ip
        > * make a a-record in some domain to this ip
        > * your isp have a ptr for this ip
        > * myhostname = your a-record
        >
        > EHLO/HELO, A, PTR are matching
        > where is the problem?

        They won't even necessarily match for some machines. For instance,
        one of them is a laptop, which is not always on the same network.
        I suppose that should not be a problem, but who knows...

        Even an address literal in square brackets isn't reliable: I had been
        testing this for a couple of weeks and I got a reject a few minutes
        ago:

        Helo command rejected: IP literal in HELO hostname (in
        reply to RCPT TO command)

        --
        Vincent Lefèvre <vincent@...> - Web: <http://www.vinc17.net/>
        100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
        Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)
      • Reindl Harald
        ... nobody out there is interested on your NAT the server on the other side is seeing only your public address and your public adress have a hostname / ptr and
        Message 3 of 30 , Apr 3, 2011
        • 0 Attachment
          Am 04.04.2011 02:22, schrieb Vincent Lefevre:
          >> why not?
          >
          > Because strictly speaking, due to NAT, the DNS would lie. I mean that
          > the address would not be the address of the machine sending the mail,
          > but the address of the router.

          nobody out there is interested on your NAT

          the server on the other side is seeing only your public address
          and your public adress have a hostname / ptr and your postfix should
          match this hostname

          the dns do not lie, you never connect outside with anything of your
          NAT because the nature of NAt is to be transparent

          >> EHLO/HELO, A, PTR are matching
          >> where is the problem?
          >
          > They won't even necessarily match for some machines. For instance,
          > one of them is a laptop, which is not always on the same network.
          > I suppose that should not be a problem, but who knows...

          that is why you should NOT direct mail from every single machine
          and setup ONE LAN-Relay which normally use a clean relay-host and
          does NOT direct send mails as long it is not needed

          so you can comment out realy-host temorary, restart postfix
          and all other machines in your LAN are working as expected

          now you come even with "direct send from a notebook"
          jesus christ this is really ignorant!

          > Even an address literal in square brackets isn't reliable: I had been
          > testing this for a couple of weeks and I got a reject a few minutes
          > ago:
          >
          > Helo command rejected: IP literal in HELO hostname (in
          > reply to RCPT TO command)

          that is why i said "do not send directly" unless your whole
          configuration is clean (dns, HELO,...) and as long you want
          that your messages are received and not rejected or even
          silently dropped
        • Sahil Tandon
          On Mon, 2011-04-04 at 02:38:14 +0200, Reindl Harald wrote: [ .. ] ... Please, this is a technical mailing list; let s all try to minimize the editorializing
          Message 4 of 30 , Apr 3, 2011
          • 0 Attachment
            On Mon, 2011-04-04 at 02:38:14 +0200, Reindl Harald wrote:

            [ .. ]

            > now you come even with "direct send from a notebook"
            > jesus christ this is really ignorant!

            Please, this is a technical mailing list; let's all try to minimize the
            editorializing and insults.

            --
            Sahil Tandon <sahil@...>
          • Reindl Harald
            ... i know, but somewhere sgould be a point where peopole try to understand things they are told tem over and over or do what they want and stop questions if
            Message 5 of 30 , Apr 3, 2011
            • 0 Attachment
              Am 04.04.2011 03:08, schrieb Sahil Tandon:
              > On Mon, 2011-04-04 at 02:38:14 +0200, Reindl Harald wrote:
              >
              > [ .. ]
              >
              >> now you come even with "direct send from a notebook"
              >> jesus christ this is really ignorant!
              >
              > Please, this is a technical mailing list; let's all try to minimize the
              > editorializing and insults

              i know, but somewhere sgould be a point where peopole try to understand
              things they are told tem over and over or do what they want and stop
              questions if the answers do not interest them
            Your message has been successfully submitted and would be delivered to recipients shortly.