You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by John Rudd <jr...@ucsc.edu> on 2006/11/01 05:12:38 UTC

Re: Relay Checker Plugin (code review please?)

Stuart Johnston wrote:
> John Rudd wrote:
>> Stuart Johnston wrote:
>>> John Rudd wrote:
>>>>
>>>>
>>>> 2) This sort of replaces the other set of rules I created, that did 
>>>> this with metarules instead of a plugin.  This made some of the 
>>>> checks less useful.  You probably don't need to use both methods.
>>>
>>> So, what is the point of doing this as a plugin instead of using 
>>> existing rules?  The obvious disadvantage is the additional dns lookups.
>>
>> The advantages are:
>>
>> a) being sure that the hostname in RDNS points back to the IP address 
>> you started with.  Thus detecting forgeries (which shouldn't happen 
>> with _any_ legitimate service)
> 
> Postfix does this for you.  It is easy enough to write an SA rule to 
> look at the Postfix headers.  I don't know about other MTAs.

Sendmail does some of it, but since I didn't find detailed documentation 
on the Trusted/Untrusted Relay pseudo-headers, I don't know if its 
represented in there.  Nor do I know if it's on the meta-information I 
can get from permessagestatus when I ask for the untrusted relay entries 
(whose hash keys are, I assume, the names of the fields in the 
trusted/untrusted relays lines)

If I could get that same information without the DNS checks, I would. 
(though, honestly, with a little more investigation, I can probably 
eliminate ONE of my two DNS checks by looking at more of the pseudo-header).


>> b) just using the rules version of what I wrote, you can only check if 
>> the decimal IP address, in individual segments, is in the hostname.  
>> You can't check if the entire decimal IP address (one large number) is 
>> in the IP address, nor can you check if the hexidecimal segments are 
>> in the hostname.
>>
>>
>> (a) requires more DNS work, yes.  (b) does not.  It just requires a 
>> bit more math.
>>
> 
> This is just my opinion, of course, but:  I'd probably make the plugin 
> just do (b).
> 
> It might be nice if SA did (a) as part of its standard checks although 
> in my experience, way too many legitimate mail servers fail on this for 
> it to be useful anyway.

I have yet to have a legitimate message rejected by that check, when 
I've been doing it in mimedefang.