Re: [exim] sanity check, please?

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Phil Pennock
Data:  
Para: Noah Meyerhans, Exim-users
Assunto: Re: [exim] sanity check, please?
On 2009-06-10 at 14:36 -0400, Noah Meyerhans wrote:
> Hi all. I've got a legacy domain that I'd like to turn into a virtual
> host. This is straightforward, and I've got a bunch of these. This one
> is somewhat different, though, because there are a whole mess of other
> domains that, using MX records, are basically synonymous with this one
> domain. I'd like to avoid any sort of static configuration for these
> various other domains, since they'll all "legacy" and should gradually
> go away. I'd also prefer to abstract the specific domain names out of
> the exim config, so I can do this for additional domains in the future
> if needed.
>
> In other words, we've got foo.example.com, which I'd like to turn into
> the virtual host. But then we've also got bar.example.com that lists
> foo.example.com as it's primary MX.
>
> So I've created these routes:
>
> legacy_mx:
> driver = manualroute
> domains = @mx_primary : !+local_domains
> self = pass
> route_data = ${lookup dnsdb{mxh=$domain}}


So @mx_primary matches where this host is the primary MX; you then
generate a list of all hosts in any MX record for this domain and route
it to them, thus you're having the primary MX send mail to the backups
as well as itself.

So if I set up MX records with you as primary and 10 other hosts, I have
a 10/11 chance of using you as an open relay; the address will verify
and depending upon config still be routed off-site, depending upon
setup. This seems fragile.

Generally, deferring trust of which domains you trust to be "you" to DNS
is fragile, unless you control which DNS servers you're checking and not
using normal DNS at all. Ie, still fragile in practice.

Since you're relying upon $self_hostname.db existing for the domain, to
hold the aliases, why not use the existence of an aliases file to create
support for a domain?

You could use the require_files pre-condition on a router, for instance.
So once the aliases file for a domain exists, you accept mail for that
domain.

-Phil