Re: [Exim] Refuse connection if no MX for sending host

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Tony Finch
Datum:  
To: rduvall
CC: exim-users
Betreff: Re: [Exim] Refuse connection if no MX for sending host
"Rick Duvall" <rduvall@???> wrote:
>Is there a way to refuse an SMTP connection if the connecting host doesn't
>have an MX record in DNS? Is there a downside to doing this?


Yes, in many cases outgoing SMTP relays are separate from incoming SMTP
MX machines. E.g. when I worked at Demon, the mail system was split into
"punt" machines that received email from the Internet and delivered it
to customers, and "post" machines that received email from customers
and delivered it to machines on the Internet. MX records pointed to the
punt machines only.

Even if the topology is simple the DNS is still complicated. E.g. in
Cambridge we have a central email hub called ppsw that does everything
(incoming, outgoing, internal, scanning, etc.). However:

    cam.ac.uk.            MX    ppsw.cam.ac.uk.
    ppsw.cam.ac.uk.            A    131.111.8.3
    ppsw.cam.ac.uk.            A    131.111.8.4    ; etc.
    3.8.111.131.in-addr.arpa.    PTR    plum.csi.cam.ac.uk.
    plum.csi.cam.ac.uk.        A    131.111.8.3


So in most cases there's no direct relationship between the machine's
hostname and relevant MXs -- this is even more evident in the Demon
case where the customer domains are in demon.co.uk but the machine
names are in mail.demon.net. Note also that it would be wrong to have
an MX for plum.csi.cam.ac.uk since there are no valid email addresses
@plum.csi.cam.ac.uk.

One thing you might also naively think of is checking that the MX for
the domain in the message's return path points to the machine you are
receiving it from. Again, Demon is an example of where this won't work.
Even in Cambridge we have a number of domains that receive email via
their own MXs (not ppsw) but it's still valid for them to emit their
email via ppsw.

You might benefit from investigating schemes like "repudiated mail from",
"reverse MX", or "sender permitted from", which do aim to provide
the kind of information you want in the DNS. However they aren't very
useful because they are deployed almost nowhere, and there's very little
incentive to deploy them.

Tony.
--
f.a.n.finch <dot@???> http://dotat.at/
MULL OF KINTYRE TO ARDNAMURCHAN POINT: EAST TO NORTHEAST 3 OR 4 BACKING NORTH
TO NORTHWEST. SHOWERS. MODERATE OR GOOD. SLIGHT TO MODERATE DECAYING SLIGHT.