Re: [Exim] Refuse connection if no MX for sending host

Etusivu
Poista viesti
Vastaa
Lähettäjä: Exim Users Mailing List
Päiväys:  
Vastaanottaja: Dr Andrew C Aitchison
Kopio: Exim Users Mailing List
Aihe: Re: [Exim] Refuse connection if no MX for sending host
[ On Saturday, October 25, 2003 at 14:57:17 (+0100), Dr Andrew C Aitchison wrote: ]
> Subject: Re: [Exim] Refuse connection if no MX for sending host
>
> You want Tony to have an MX for plum.csi.cam.ac.uk ?


Hmmm.....

    $ telnet plum.csi.cam.ac.uk 25
    Trying 131.111.8.3...
    Connected to plum.csi.cam.ac.uk.
    Escape character is '^]'.
    220 plum.csi.cam.ac.uk ESMTP Exim 4.20 Sat, 25 Oct 2003 18:09:50 +0100
    quit
    221 plum.csi.cam.ac.uk closing connection
    Connection closed by foreign host.


Yes, he probably should have an MX for that host, since that's the name
the mailer appears to use.

That mailer does appear to accept mail for
<postmaster@???> too:

    $ vrfy -vvv -n postmaster@???
    rcpt 'postmaster@???' at 'plum.csi.cam.ac.uk'
    connecting to plum.csi.cam.ac.uk (131.111.8.3) port 25
    <<< 220 plum.csi.cam.ac.uk ESMTP Exim 4.20 Sat, 25 Oct 2003 18:29:20 +0100
    >>> EHLO proven.weird.com
    <<< 250-plum.csi.cam.ac.uk Hello proven.weird.com [204.92.254.15]
    <<< 250-SIZE 104857600
    <<< 250-PIPELINING
    <<< 250 HELP
    >>> VERB on
    <<< 500 unrecognized command
    >>> MAIL From:<>
    <<< 250 OK
    >>> RCPT To:<postmaster@???>
    <<< 250 Accepted
    Accepted
    >>> RSET
    <<< 250 Reset OK
    >>> QUIT
    <<< 221 plum.csi.cam.ac.uk closing connection


Of course his mailer configuration may be "non-standard" in that he's
made absolutely sure that the mailer never uses that name anywhere but
in the connection greeting banner (and the final 221 response). In that
case there's no real need for an MX and no need to accept e-mail for
that domain name.

(barring the initial idea that started this thread of course -- I wasn't
really in favour of it any more than I'm in favour of any of the other
"reverse MX" proposals)

> Then people will start sending mail to @plum.csi.cam.ac.uk.


Not necessarily -- only for issues related specifically to that mail
server, presumably in response to bounces or other errors.

> Not desirable, but stopping it is a battle he wont win.


Well, you say not having an MX won't stop them from sending mail to that
domain either, though he can reject that domain name as undeliverable.

The way one controls what domain names are used by people sending e-mail
is to control what domains appear in envelope and header addresses (and
what gets printed on business cards, in advertisments, etc., etc., etc.)

> He then retires plum from mail server duties, so has to make the
> plum MX record point at another machine, say peach, otherwise
> he wont receive that mail.


Not necessary, if that hostname is retired from SMTP duties then its MX
is retired as well, assuming that domain name was never used publicly
for anything but bounces.

On the other hand if the domain name does slip into popular use and its
continued use is to be supported, then redirecting the target of the MX
is trivial and could be done for as long as desired.

> I thought that the point of an MX record was to allow you to tell
> people that another machine handles mail to this host/domainname ?


The point of an MX is to tell mailers where to route mail for a domain.

There _should_ be an MX for every domain used in relation to SMTP.

The allowance for routing e-mail to hostnames (i.e. domain names that
resolve to A records) is a deprecated backwards compatability hack that
dates back to January 1986 -- i.e. nearly two decades.

> If the host name of a mailer must be target of an MX you are
> forbidding asymmetric setups with different boxes for incoming and
> outgoing mail.


No, not at all.

If one truly wishes to separate inbound and outbound SMTP then it is
sufficient to make the MXes for the outbound mailer hostname(s) point to
the inbound mailer(s) (and of course to configure the inbound mailer(s)
to accept those domain names as locally deliverable domains).

This is all about making sure there's an MX for every domain name used
in relation to SMTP, including those hostnames used by mailers. I get
the distinct impression (from having attempted to contact several
thousand postmasters over the recent months) that many postmasters don't
have a clue what their mailers use for a domain name when they send
locally originated e-mail out from their systems (i.e. using a shell
account).

However in the interests of following the K.I.S.S. rule it's logical for
those configuring maliers to accept SMTP configurations on outbound-only
mailers and to publish MX RRs for those hostnams, simply to make it
easier for third parties to identify those systems as mail servers and
to provide for an easy and obvious way for third parties to get in
direct contact with the postmaster(s) responsible for those mailers.
More complicated configurations lead to confusion and confusion leads to
errors, and there's no need whatsoever in this case for any added
complication.

--
                        Greg A. Woods


+1 416 218-0098                  VE3TCP            RoboHack <woods@???>
Planix, Inc. <woods@???>          Secrets of the Weird <woods@???>