Re: Comments on draft-freed-sieve-environment-04

[Ned Freed <ned.freed@xxxxxxxxxxx>]

> On Sun, 2008-03-23 at 10:50 -0700, Ned Freed wrote:
> > Also a good point. I have added:
> >
> >   The remote-host environment item defined in this specification is usually
> >   determined by performing a PTR DNS lookup on the client IP address. This
> >   information may come from an untrusted source. For example, the test:
> >
> >     if environment :matches "remote-host" "*.mydomain.com" { ... }
> >
> >   is not a good way to test whether the message came from 'outside' becaus
> >   anyone who can create a PTR record can create one that refers to whatever
> >   domain they choose.
> [...]
> >
> > I think a simpler way to handle this is to say that the name will
> > be blank if it cannot be resolved into a host name. How about:
> >
> >  "remote-host"
> >            => Host name of remote SMTP/LMTP/Submission client, if
> >               applicable and available. The empty string will be returned
> >               if for some reason this information cannot be obtained for
> >               the current client.

> sorry, I don't understand what this means.  is the existence of a PTR
> record sufficient?

Who knows? The mechanism used to obtian the remote-host isn't (and should not
be) specified. As such, a PTR could be sufficient. Or it may not be - some
systems do a backwards-forwards check. And there can even be cases when a PTR
record isn't needed - DNS names aren't the only game in town, you know.

> it seems so, given the above added caveat.  if so --
> how is a script able to detect a forgery?

It can't. That's the point.

				Ned