On 2007-05-14 at 22:33 +0200, Peter Thomassen wrote:
> Phil Pennock wrote:
> > In summary: Exim is powerful, Exim 4.67 is more powerful, and I
> > recommend this new Router immediately after dnslookup has handled all
> > domains other than +local_domains:
> >
> > not_yet_hosted:
> > driver = dnslookup
> > domains = ! @mx_any/ignore=<;127.0.0.1;::1
> > transport = remote_smtp
> > ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8
>
> Phil, great thanks for your detailed answer. I'm going to include this new
> router tomorrow. Unfortunately, I do not understand why both the /ignore
> clause and ignore_target_hosts are necessary. In my understanding, either
> instruction makes Exim ignore 127.0.0.1 DNS records. The latter refers to
> the whole subnet.
>
> Now a question if I got it right: If we left out the ignore instructions and
> the domain resolved to the loopback address, our new router would come in
> and then produce a loop, right?
@mx_any/ignore=FOOLIST means "if any of my IP addresses except those in
FOOLIST appear in the MX records, then match"; we're using this to
figure out whether or not a given domain has an MX record which includes
us.
So the "domains" option is ensuring that we'll only think that the
domain has been pointed to us if a non-loopback address of ours appears
in the MX records anywhere. Ie, we keep it for ourselves if a real
valid address of ours is publically available.
If there's another IP address of ours anywhere in the list obtained by
resolving all the hostnames in the MX records, then the /ignore doesn't
matter.
If there is not another IP address of ours, we send it away.
Then, before sending away, ignore_target_hosts strips out any addresses
which might result in trying to send it back to ourselves; this includes
the loopback block 127/8 and also the 0/8 network because historically
0/{8..24} have had special meaning and can end up effectively being a
local network, with 0.0.0.0 being the local host.
So if one of your new customers has declared "our primary MX is always
up, no-one has any legitimate reason to use secondary MX so we'll put
bad records in to cause problems for spammers" then (a) you can educate
them about Internet routing, pointing to the spats between big network
providers and (b) you'll see that their DNS might include this subset:
example.org. MX 10 mail.example.org.
example.org. MX 50 badmail.example.org.
mail.example.org. A 192.0.2.10
badmail.example.org. A 127.0.0.1
Without the /ignore=127.0.0.1, your Exim config will deem this to mean
that the domain is pointed to you and it should keep the mail, because
127.0.0.1 is configured on a local interface.
Without the ignore_target_hosts option, if your Exim host can't connect
to 192.0.2.10 (routing problem, server down[*]) then it'll all back to
trying to send to itself with the priority 50 MX record.
> Then, why isn't 0.0.0.0 in the /ignore clause? Shouldn't the 192.168.x.y IP
> range also be added, maybe to both?
0.0.0.0 is almost certainly not an IP address which you've explicitly
configured on one of your host's interfaces, so Exim wouldn't think that
its presence in an MX record means "matches me".
If you have private address space configured up, then you should add
that to the @mx_any/ignore list and to ignore_target_hosts, yes.
I have various restrictions on which IP addresses can connect to me
(acl_smtp_connect ACL) and what hosts I will connect to remotely; I
could probably clean these up and simplify them; I should also probably
start looking more carefully at relevant IPv6 equivalents.
----------------------------8< cut here >8------------------------------
hostlist bad_host_addresses = <; 0.0.0.0 ; 127.0.0.0/8 ; ::
hostlist rfc1918_addresses = 10.0.0.0/8 : 172.16.0.0/12 : 192.168.0.0/16
hostlist special_ipv4_bad = +rfc1918_addresses : 0.0.0.0/8 : 127.0.0.0/8 : \
169.254.0.0/16 : 192.0.2.0/24 : 198.18.0.0/15 : \
224.0.0.0/4 : 240.0.0.0/4
# see RFC 3330 for more about the items in that last list
# ACL section:
acl_connect:
accept hosts = @[] : +relay_from_hosts : +remote_hosts_nodelay
deny hosts = +special_ipv4_bad
message = Your IPv4 address should not be talking to me
accept hosts = *
delay = 3s
# Routers:
dnslookup:
driver = dnslookup
domains = ! +local_domains
transport = remote_smtp
ignore_target_hosts = +bad_host_addresses : +special_ipv4_bad
no_more
----------------------------8< cut here >8------------------------------
These hostlists appear in other places too. I could reject RFC1918 in
acl_connect too and probably should get around to it to reinforce the
network routers' filtering; a relic of this configuration starting out
being used on my home network.
It's not clear to me from the Specification whether or not you can use
@mx_any/ignore=+named_hostlist -- the doc says:
The list of IP addresses is in fact processed by the same code that
processes host lists, so it may contain CIDR-coded network specifications
and it may also contain negative items.
Because hostlists can include other hostlists, I _think_ that the
+named_hostlist can indeed be used, but I recommend checking carefully.
If anything else needs clarifying, well, I'm obviously not adverse to
exapnding ... ;^)
-Phil
