You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by John Rudd <jr...@ucsc.edu> on 2006/11/01 05:12:38 UTC
Re: Relay Checker Plugin (code review please?)
Stuart Johnston wrote:
> John Rudd wrote:
>> Stuart Johnston wrote:
>>> John Rudd wrote:
>>>>
>>>>
>>>> 2) This sort of replaces the other set of rules I created, that did
>>>> this with metarules instead of a plugin. This made some of the
>>>> checks less useful. You probably don't need to use both methods.
>>>
>>> So, what is the point of doing this as a plugin instead of using
>>> existing rules? The obvious disadvantage is the additional dns lookups.
>>
>> The advantages are:
>>
>> a) being sure that the hostname in RDNS points back to the IP address
>> you started with. Thus detecting forgeries (which shouldn't happen
>> with _any_ legitimate service)
>
> Postfix does this for you. It is easy enough to write an SA rule to
> look at the Postfix headers. I don't know about other MTAs.
Sendmail does some of it, but since I didn't find detailed documentation
on the Trusted/Untrusted Relay pseudo-headers, I don't know if its
represented in there. Nor do I know if it's on the meta-information I
can get from permessagestatus when I ask for the untrusted relay entries
(whose hash keys are, I assume, the names of the fields in the
trusted/untrusted relays lines)
If I could get that same information without the DNS checks, I would.
(though, honestly, with a little more investigation, I can probably
eliminate ONE of my two DNS checks by looking at more of the pseudo-header).
>> b) just using the rules version of what I wrote, you can only check if
>> the decimal IP address, in individual segments, is in the hostname.
>> You can't check if the entire decimal IP address (one large number) is
>> in the IP address, nor can you check if the hexidecimal segments are
>> in the hostname.
>>
>>
>> (a) requires more DNS work, yes. (b) does not. It just requires a
>> bit more math.
>>
>
> This is just my opinion, of course, but: I'd probably make the plugin
> just do (b).
>
> It might be nice if SA did (a) as part of its standard checks although
> in my experience, way too many legitimate mail servers fail on this for
> it to be useful anyway.
I have yet to have a legitimate message rejected by that check, when
I've been doing it in mimedefang.