David Woodhouse wrote:
Sat, 2006-05-06 at 15:15 -0700, Marc Perkel wrote:

>I ran across this CSA thing in the Exim manual. Do I want to use it?
>If so - why? And does it break email forwarding like SPF does?
>
>
It allows you to reject bogus use of HEL If nothing else, it's allowed
me to drop the hacks in my config files which specifically check for
_my_ machine's local hostname or one of my domain names being used in
HEL I haven't seen it reject much _other_ than that. Possibly because
CSA records aren't particularly widespread.
I also use it as a greylisting trigger, in conjuction with reverse DNS.
If you have _neither_ reverse DNS nor a CSA record, you are likely to
get greylisted. Those with crap ISPs who can't fix their reverse DNS can
usually at least manage to set up CSA.
It doesn't break forwarding.
Just for grins could you or someone post some sample CSA code. Maybe add it to the Wiki?
So the idea is that by publishing CSA information I'm telling the world what servers are allowed to say helo using my domain?

Sun, 7 May 2006, Marc Perkel wrote:
Just for grins could you or someone post some sample CSA code. Maybe add
it to the Wiki?
If you mean configuration examples, what's wrong with the documentation?
Tony.

Sat, 2006-05-06 at 15:15 -0700, Marc Perkel wrote:
I ran across this CSA thing in the Exim manual. Do I want to use it?
If so - why? And does it break email forwarding like SPF does?

It allows you to reject bogus use of HEL If nothing else, it's allowed
me to drop the hacks in my config files which specifically check for
_my_ machine's local hostname or one of my domain names being used in
HEL I haven't seen it reject much _other_ than that. Possibly because
CSA records aren't particularly widespread.

I also use it as a greylisting trigger, in conjuction with reverse DNS.
If you have _neither_ reverse DNS nor a CSA record, you are likely to
get greylisted. Those with crap ISPs who can't fix their reverse DNS can
usually at least manage to set up CSA.

It doesn't break forwarding.

Sun, 2006-05-07 at 05:11 -0700, Marc Perkel wrote:

It doesn't break forwarding.

Just for grins could you or someone post some sample CSA code. Maybe
add it to the Wiki?

Nah. RTFM -- you don't wamt my version, which predates Tony's proper
implementation -- I did it all manually.

It sets $acl_c0 which is then used directly for rejection in acl-helo
(in the same directory) and to trigger greylisting in acl-content.

So the idea is that by publishing CSA information I'm telling the
world what servers are allowed to say helo using my domain?

Yes. For any given hostname in your domain. Giving a blanket 'no' for
the domain name alone is quite useful too.

Sunday 07 May 2006 17:02 David Woodhouse wrote:
Sun, 2006-05-07 at 05:11 -0700, Marc Perkel wrote:

So the idea is that by publishing CSA information I'm telling the
world what servers are allowed to say helo using my domain?

Yes. For any given hostname in your domain. Giving a blanket 'no' for
the domain name alone is quite useful too.

My first reaction was "Yuck!". Looks like a really ugly hack to me,
overloading the SRV RR fields and all. SPF at least uses TXT RR's, which has
no particular semantics. the other hand there won't be any collisions, as
smtp isn't an existing IP protocol. Any other thoughts?

Sun, 7 May 2006, Magnus Holmgren wrote:

My first reaction was "Yuck!". Looks like a really ugly hack to me,
overloading the SRV RR fields and all. SPF at least uses TXT RR's, which
has no particular semantics. the other hand there won't be any
collisions, as smtp isn't an existing IP protocol. Any other thoughts?

CSA uses SRV records because that means that in the majority of cases a
conformance check only requires one DNS lookup. SPF usually requires many
DNS lookups, and then gives you the wrong answer.

Tony.