Author: Alan J. Flavell Date: To: Exim users list Subject: [Exim] Re: abusive MX records look up to "mail."
On Mon, 23 Feb 2004, Alan J. Flavell wrote:
> # host -t mx medicalsavingzrus.com
> medicalsavingzrus.com mail is handled by 0 mail. [..]
> due to the non-callout "verify = sender" that we're using - and
> issuing a _temporary_ error, and the abuser (or their compromised
> relay) are retrying over and over.
OK, with a lot of help from Chris, I think we've homed in on this
problem.
In *our* case, there exists a DNS name mail.physics.gla.ac.uk (it's an
alias for the mail host itself), and the default domain is
physics.gla.ac.uk.
What's happening in the lookuphost router is that:
- first, the MX record is looked up in the DNS. The answer is "mail"
- then, that answer is looked up for an A record, but because "mail"
is not found, it tries appending the default domain. And in our
case it then succeeds.
As the result of this:
lookuphost router called for foo@???
domain = medicalsavingzrus.com
DNS lookup of medicalsavingzrus.com (MX) succeeded
DNS lookup of mail (A) succeeded
[..bogons test does not trigger..]
local host has lowest MX
fully qualified name = medicalsavingzrus.com
host_find_bydns yield = HOST_FOUND_LOCAL (3); returned hosts:
othello.physics.gla.ac.uk 130.209.204.200 0
LOG: MAIN
lowest numbered MX record points to local host:
medicalsavingzrus.com (while routing <foo@???>)
lookuphost router: defer for foo@???
message: lowest numbered MX record points to local host
foo@??? cannot be resolved at this time:
lowest numbered MX record points to local host
And so, we keep issuing temp.fails until the sender loses interest.
When Chris tries this on the central mailer, by comparison, he gets a
perm.fail, but it should be noted that there is no registration for
mail.gla.ac.uk
Chris points to the qualify_single option of the lookuphost router,
which by default is "true". Maybe (or maybe not) that is a useful
feature when looking up the MX record itself.
But after the MX record has been looked-up, and the result is being
used to look-up an A record for mail host(s), it seems to me to be
wrong that the qualify_single option gets honoured.
A mischievous spammer could register all kinds of rubbish, like "www"
or "dns1" or "exchange" or what-have-you, in their MX record, making
us hostage to whatever we get when we qualify it with our default
domain. Or so it seems to me.
Anyway, we're discussing whether, as a workaround, we can turn off
qualify_single for this router. I'm not sure whether it ever does us
any good, to be honest.
But irrespective of which way that decision falls, I do have this gut
feeling that the qualify_single setting should be ignored in the
second stage of the lookup, as I said above.