On Sat, 2014-02-22 at 22:02 +0100, Heiko Schlittermann wrote:
> On 22. Februar 2014 20:00:31 MEZ, Viktor Dukhovni <exim-users@???> wrote:
> >Returning 5XX at connect time (server SMTP banner) is unwise:
> >
> > - Postfix and various other MTAs will by default treat a 5XX
> > banner as a temporary error condition, and will queue and retry.
> > The reason is historically flawed 5xx responses from some servers
> > when they're overloaded.
> >
> > - You don't get to log the sender and intended recipients, so it is
> > difficult to identify false positives in your logs when users
> > report missing email.
> >
> >If you return a 5XX "EHLO" response, the first objection goes away,
> >but the second remains. You should generally leave RBL processing
> >at the RCPT TO stage, so you can log rejected recipients.
>
> And I'm not sure, but I think, you should not block messages to postmaster. To achieve that, you have to wait for RCPT.
>
> Rejecting with 5xx at SMTP connect is about the same as a TCP reject, as Viktor says, most MTA will retry later or at your fall back MX.
>
> (But spam senders won't care, so probably it helps. Remains the postmaster issue as a reason to wait for the RCPT.)
My philosophy is:-
1. Accept incoming emails from professional senders, not from dynamic
IPs and not from 'standard' residential consumer type hosts, examples
*adsl.alicedsl.de
*dynamic.se.alltele.net
*adsl.anteldata.net.uy
*pools.arcor-ip.net
*as9105.com
*as13285.net
*as43234.net
2. If a sending MTA repeatedly ignores a 5xx, then block that IP for a
month.
3. Always give the sending MTA a reason and a contact telephone number
or contact email address.
4. Never knowingly lost a genuine incoming email. Never had any
complaints.
5. Victor's point about defective Postfix (& M$ in my experience) mail
servers ignoring 5xx because of historical reasoning should prompt
Postfix into repairing their broken system. Ignoring 5xx should never be
the default option in 2014.
As the Internet, a resilient world-wide communications system, evolves,
old 'bad' habits need to improve including accepting what 5xx actually
means.
Many large organisations no longer have a functioning postmaster email
address off the main domain name and some of those who do - especially
the Americans - ignore incoming postmaster emails. Many smaller
organisations have never heard of 'postmaster' and consequently have
never considered having a postmaster email address.
Perhaps there is a need to contain a "relevant" postmaster email address
in the DNS, as well as an abuse email address etc., so that multiple
domains sharing common 'postmaster' facilities do not have to replicate
the postmaster email address on every domain and sub-domain used for
emailing.
--
Paul.
England,
EU.
Our systems are exclusively Centos. No Micro$oft Windoze here.