Re: [exim] Consider local_domains only if DNS matches

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMPeter Thomassen at <-
MMPeter Thomassen at ->
Delete this message
Reply to this message
Author: Phil Pennock
Date:  
To: exim-users
Subject: Re: [exim] Consider local_domains only if DNS matches
On 2007-05-15 at 16:42 +0200, Peter Thomassen wrote:
> What happens then if the only MX points to 127.0.0.1? ;-)

The Router will fail, rather than decline, and you'll bounce the mail;
if the sender is also in that domain, the bounce will freeze.

Which is a good point; in this one case, you probably ideally want the
mail to continue into your system so that the "welcome, new customer"
mails await them, despite their broken _previous_ DNS (which you are of
course fixing them, as you'll be providing a much better service ;^) ).

That could be dealt with using a dnsdb mxh lookup in a condition.
Whether or not you think this corner case worth dealing with is another
matter.

More seriously -- what if the current DNS is broken? This might be why
they're moving their service to you. You should probably set
"pass_on_timeout" on the dnslookup_not_yet_hosted Router, so that if the
DNS is timing out then this Router declines the address and it's passed
onto the following Routers, which deal with it locally.

Also, if you want a belt+braces approach to dealing with MX records
which point to you, then you could set "self = pass" on this
dnslookup_not_yet_hosted Router; if someone changes the domains
inappropriately, then you're not necessarily immediately hosed.

Thus: 

dnslookup_not_yet_hosted:
  debug_print = "R: dnslookup_not_yet_hosted for $local_part@$domain"
  driver = dnslookup
  domains = ! @mx_any/ignore=<;127.0.0.1;::1
  transport = remote_smtp
  pass_on_timeout
  self = pass
  same_domain_copy_routing = yes
  # ignore private rfc1918 and APIPA addresses
  ignore_target_hosts = 0.0.0.0 : 127.0.0.0/8 : 192.168.0.0/16 :\
                        172.16.0.0/12 : 10.0.0.0/8 : 169.254.0.0/16 :\
                        255.255.255.255


> The ignore_target_hosts line is from Debian's dnslookup router.

What, no multicast? :^) I've a vague recollection that the socket API
should fail to connect() a TCP socket to a multicast destination, but in
the interests of "this router has to be paranoid about existing DNS
having a high risk of being broken", it might be worth considering;
perhaps, if you do defend against localhost MX in a condition then you
can use the match_ip expansion condition to test it against a list.

If you're not on Exim 4.67 yet then this paranoia is better left for
when you are, as it's a job for "forall".

-Phil


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] dsearch doesn't workRe: [exim] Can't close open relay.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)