Heya,
I found out something just recently and wanted to share with you guys:
The problem:
On our hosting service, lusers have a possibility of adding domains for
inbound mail. A rogue luser has a possibility of adding somebody else's
domain. Or worse, something very popular, like gmail.com.
When a luser adds such a domain and creates a catchall record, mail is
just passed to him.
Prerequisite:
A DNS server that doesn't treat such domains as local. named running on
localhost will do with help of views.
Solution:
domainlist global_domains = dsearch;EXP_GLOBAL_DOMAINS
domainlist virtual_domains = dsearch;EXP_DOMAINS
domainlist local_domains = ${if or{ \
{ match_domain{$domain}{+global_domains} } \
{ and { \
{ match_domain{$domain}{+virtual_domains} } \
{ match{${lookup dnsdb{mx=$domain}{$value}fail}}{\N(?mi)^\d+ (?:mx\.domain\.pl|fancyname\.domain\.com)$\N}} \
}}}{$domain}{}}
A bit of explanation:
"global_domains" are assigned by us, no lookup is required.
"virtual_domains" are these added by lusers from whose potential abuse
we need to protect ourselves.
Caveats:
- Only the MX record is checked. This isn't a problem for me myself, but
has to be taken into account.
- No MX records results in a defer. Isn't that bad, really, as some DNS
errors (network down, recursion failed) can (sometimes) be recognized
as NXDOMAIN by (some) resolvers.
Feedback is, as always, welcome.
--
Unix stuff :: http://tehran.lain.pl
Yet Another RBL :: http://rbl.lain.pl
