著者: Bill Hacker 日付: To: exim 題目: Re: [Exim] Domain literals: weighing up the arguments
Frank S. Bernhardt wrote:
> I've been following this thread with great interest.
>
> For all the machines that I've got using Exim, I've turned off IP
> literals with no apparent detrimental results; until now.
>
> I have in the last week just installed Exim at a newly inherited
> customer, replacing a M$ Exchange server that was giving them nothing
> but trouble and that had been recently compromised (again).
> Apparently having MSCE after your name is no guarantee that you know
> how to set up a mail server (notice the lack of these 4 letters after
> my name).
>
> Anyway, everything was running just fine until I noticed an e-mail
> indicating that the domain name had been black listed by njabl.org.
> This happened because of the Exchange server compromise. In trying to
> get the domain de-listed I found that the listing site needed to
> send an e-mail to postmaster@[#.#.#.#]. If it could not reach this
> mail-box, the site would remain on the black list. Period.
>
> So given everything that has been posted on this thread, I have at
> least one concrete reason to allow at least postmaster@[#.#.#.#].
> That is, when replacing a f%^&#@ up Exchange server with a real MTA,
> you need a way for RBL's to contact you in order to get your site
> de-listed.
>
> --
>
> Regards
>
> Frank S. Bernhardt b.c.s.i.
Seems to me this situation would hardly be restricted to MS Exchange
'Servers' (sic), or to one RBL-maintainer. And it may explain some
quirks I now need to look into...
My take after following this issue is that any server running any sort
of MTA, even if only for outbound cron job reports, and especially if on
a domain-less devel box, or any sort of 'backend' not otherise in an MX
record as a mail host, *should at least* 'alias' or forward
<postmaster@???> AND <postmaster@(#.#.#.#)> to another address
attached to a reachable human being (and ONLY to that address).
FWIW, I will now modify this alias on the half-a-dozen or so
otherwise-unrelated boxes to an address on a different server - one that
is in a netblock on another continent and has a very low risk of itself
being blacklisted.
IMNSHO, the benefits of receiving helpful information - however rare -
clearly outweigh the risks. If one has inadvertently configured (or
'inherited' responsibility for) a box that is being/can be abused, best
to hear about it sooner rather later - perhaps after a whole netblock
has been blacklisted (as has happened to a major local data centre ISP
after a number of their colocation clients' WinBoxen/LinuxBoxen were
compromised).
Other than <postmaster...>, however, I agree that domain-literals should
not be accepted in the more general case.