kre@munnari.OZ.AU (Robert Elz) writes:
>     Date:        15 Aug 2003 14:45:55 -0700
>     From:        wolfgang+gnus20030815T141901@wsrcc.com (Wolfgang S. Rupprecht)
>     Message-ID:  <x7isoyioh8.fsf@capsicum.wsrcc.com>
> 
>   |         connection from [1.2.3.4]
>   |         rDNS lookup yields name foo.example.com
>   |         DNS verification of foo.example.com yields one IP address, 
>   |                 [5.6.7.8].  (Note this address is NOT the address 
>   |                 from step #1.  We have a very clear forgery.)
> 
> No you don't.   All you have is an indication that the address that
> you're directed to in order to reach 5.6.7.8 is not the one that it
> is using to reach you.   There is absolutely nothing incorrect about
> that.
> 
> A forgery happens only when (in this kind of context) a name is used
> without authorisation - if 1.2.3.4 is authorised to say that it is
> foo.example.com then there is no forgery.
> 
> That this makes it harder to trivially detect forgeries is clear,
> but it doesn't make it any less true.    This is also why the mail
> standards say that you're not allowed to reject mail based upon
> some mis-conceived notion about what is given in the HELO (EHLO)
> command not being correct.

Are we arguing about my choice of the word "forgery" or the Weitse's
choice in Postfix as well as tcpwrappers before it to do an
ip->hostname and hostname->ip lookup?

In any case, I believe that we are violating the principle of least
surprise by having that test dropped if the ipv6 patches are applied.

-wolfgang
-- 
Wolfgang S. Rupprecht 		     http://www.wsrcc.com/wolfgang/
(NOTE: The email address above is valid.  Edit it at your own peril.)