[Dovecot] Hostname passed to PAM as rhost
John Peacock
jpeacock at rowman.com
Mon Sep 26 22:37:15 EEST 2005
Tom Alsberg wrote:
> Does it double-verify the DNS record before it trusts
> this to be the hostname (first checking the IP address in
> in_addr.arpa and then checking that the hostname indeed maps back to
> the same IP address)?
>
Actually, this level of paranoia is not useful, since it will fail to
correctly operate in the very real case of co-hosted boxes. There can
only be (in practice) a single mapping from IP => hostname (via
in-addr.arpa), but there can be virtually limitless hostname => IP maps.
There were a few SMTP servers which supported "round-trip DNS checks"
but by now, hopefully, the sysadmins running those boxes have been
killed off by the userbase eager to actually receive e-mail.
If PAM authentication supports different schemes based on source IP
address, that is the best you can hope for. The only trustworthy value
in a point-to-point TCP connection is IP (since it is impossible to
spoof that due to the need to be able to get the response packets back
later).
John
--
John Peacock
Director of Information Research and Technology
Rowman & Littlefield Publishing Group
4501 Forbes Boulevard
Suite H
Lanham, MD 20706
301-459-3366 x.5010
fax 301-429-5748
More information about the dovecot
mailing list