Re: [exim] lowest numbered MX record points to local host

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Cyborg
Datum:  
To: exim-users
Betreff: Re: [exim] lowest numbered MX record points to local host
Am 14.02.2018 um 10:52 schrieb Sebastian Nielsen via Exim-users:
> Easiest is to use local_domains but have a verification step for the
> shared hosting, so your interface where user add their domain, will
> verify that the MX is pointed to your server Before allowing the
> domain to be added to local_domains.


A good way, but you can't avoid hard lists of not to add domainnames.
> if (dnslookup($user_domain, "MX") ne "yoursmtp.yourdomain.com") {
> print "To add this domain you first need to set up your MX to Point to
> us. We cannot add your domain without you first reconfiguring the MX,
> for obvious security reasons".
> }


IF you want to relay on it, you need to use "dig +trace mx domainname"
(or similar algorithm) which traces the answeres from root to the
autoritative dns servers. If you use a cache, the process gets
attackable : "DNS Cache Poisoning Attack"  :)

If that is possible, why do i still need to relay on a hardcoded list ?

a) it's way faster
b) you can't tamper with it.
c) "famous" domainnames, like ebay.*  will never be transfered to your
own small hosting compay(, without you knowing first). Therefore, why
relay on a timeconsuming, tamperable process to find something out, you
already know ? And you have to take care of "not getting an answere,
when you should have got one." aka. packetloss with dns queries.

And now last, but by far not least:

D) The need of adding domains, that are active on other servers, because
they wanne switch from theire OLD ISP to you as theire NEW hosting
provider  :D
In the process of building a new webaccount, people tend to test
mailfunctionality, so it has to work, even if the mx is not set to your
server. And you have to cope with the fact, that some domains only host
the website with you, but don't wanne use your mailservices. Which leeds
to the ultimate hint: make localdomains dynamically alterable.

If you do a MX check, you can't add those domains to your system without
a side channel, and trust me, it's a day-by-day pratise to switch ISPs .

So heres my advise :

take some time, make a list, integrate it into your hosting config tool
and deny what makes common sense on your market segment.


Funny sidenote:

We found a borderline syndrom in mariadb caused by our dynamic
localdomains query, which involved the antispam checks in place, which
resulted in a complex query, the mariadb parser could not cope with if
limited to 1 result :D ( unlimited results ok, but limit 1 => DOS
endlessloop )  ( could be solved by a even more complex query ;) )

Marius