Re: [Exim] When the lowest numbered MX is firewalled.

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Tabor J. Wells
Date:  
À: JB
CC: ph10, exim-users
Sujet: Re: [Exim] When the lowest numbered MX is firewalled.
On Thu, Aug 30, 2001 at 05:43:12AM -0700,
JB <jbrown007@???> is thought to have said:

> Philip,
>
> I totally disagree. People have been using this kind
> of mail delivery for ages and it's also perfectly
> "legal" and correct to do so.. it may add a very small
> increase in work for the sending MTA but why should
> the receiver of the email ever care about this??


It's not a very small increase in work when you consider that you have
wait for a delivery attempt to timeout for every piece of email sent to
that domain. Multiply by a large volume of mail to that domain or a large
number of sites with this unfriendly setting and it gets to be extremely
expensive because your queues start to grow as it continues to back up.

> Wouldn't it just be as simple as adding the line:
>
> relay_domains_include_local_mx
>
> into your recv.mail.com Exim configuration file? Then
> if the sending MTA tries to send to your primary MX
> and this fails then it will send it to your second
> pref MX. This will then accept the mail and try to
> forward it to your first pref MX and as this is
> allowed through your firewall to send it on. Now the
> the job is done and who was hurt?


relay_domains_include_local_mx does nothing to fix the fact that the
entire rest of the net can't get to their lowest MX, which is what the
original message in this thread was referring to.

> It can also add greater resilience and flexibility in
> adding and removing servers as you can add multiple A
> records relating to the server recv.mail.com.
>
> Just because the above configuration may be classed as
> "annoying" doesn't make it wrong!


It may not be "illegal" per se, but a site should not advertise an MX
to the outside world unless they also allow the outside world to connect
to it. To do otherwise suggests a lack of understanding of what an MX
record is. They should have a single MX record for the publically
accessable server and then handle their own mail routing internally
without using DNS (or using some kind of split DNS views thing). Or they
should put all of their MXes in their DMZ.

What's even worse is when domains specify a lower MX record with a
non-routable IP that is only reachable via their local network. Especially
when their non-routable IP conflicts with one of your own.

Tabor

-- 
--------------------------------------------------------------------
Tabor J. Wells                                     twells@???
Fsck It!                 Just another victim of the ambient morality