You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2006/11/01 11:36:13 UTC

Re: Relay Checker Plugin (code review please?) 

John Rudd writes:
> Stuart Johnston wrote:
> > John Rudd wrote:
> >> Stuart Johnston wrote:
> >>> John Rudd wrote:
> >>>> 2) This sort of replaces the other set of rules I created, that did 
> >>>> this with metarules instead of a plugin.  This made some of the 
> >>>> checks less useful.  You probably don't need to use both methods.
> >>>
> >>> So, what is the point of doing this as a plugin instead of using 
> >>> existing rules?  The obvious disadvantage is the additional dns lookups.
> >>
> >> The advantages are:
> >>
> >> a) being sure that the hostname in RDNS points back to the IP address 
> >> you started with.  Thus detecting forgeries (which shouldn't happen 
> >> with _any_ legitimate service)
> > 
> > Postfix does this for you.  It is easy enough to write an SA rule to 
> > look at the Postfix headers.  I don't know about other MTAs.
> 
> Sendmail does some of it, but since I didn't find detailed documentation 
> on the Trusted/Untrusted Relay pseudo-headers, I don't know if its 
> represented in there.  Nor do I know if it's on the meta-information I 
> can get from permessagestatus when I ask for the untrusted relay entries 
> (whose hash keys are, I assume, the names of the fields in the 
> trusted/untrusted relays lines)
> 
> If I could get that same information without the DNS checks, I would. 
> (though, honestly, with a little more investigation, I can probably 
> eliminate ONE of my two DNS checks by looking at more of the pseudo-header).

for what it's worth: http://wiki.apache.org/spamassassin/TrustedRelays

they were woefully under-documented alright :(  now improved.

--j.

> >> b) just using the rules version of what I wrote, you can only check if 
> >> the decimal IP address, in individual segments, is in the hostname.  
> >> You can't check if the entire decimal IP address (one large number) is 
> >> in the IP address, nor can you check if the hexidecimal segments are 
> >> in the hostname.
> >>
> >>
> >> (a) requires more DNS work, yes.  (b) does not.  It just requires a 
> >> bit more math.
> >>
> > 
> > This is just my opinion, of course, but:  I'd probably make the plugin 
> > just do (b).
> > 
> > It might be nice if SA did (a) as part of its standard checks although 
> > in my experience, way too many legitimate mail servers fail on this for 
> > it to be useful anyway.
> 
> I have yet to have a legitimate message rejected by that check, when 
> I've been doing it in mimedefang.