[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: mx checking ?
[ The original message duplicated when transmiting from Matus' machine
to nic.funet.fi -- likely a strategically occurred IP routing breakdown
where nic got ending dot, but sender didn't get its ack.. The only
problem in SMTP that has no solution :-/ ]
> Hello,
>
> I thought if zmailer can check for MX in more ways...
I think I mentioned this a while back as something
my employers want.
> 1. if local machine is MX for sender or recipient - otherwise somebody is
> trying to send mail via our machine which can be in case of mail spamming.
> The mail can be optionally rejected.
>
> 2. if remote machine (sender) is mail exchanger for sender. If it is not
> sobebody sent mail via machine which has nothing to do with it probably.
> The mail can be optionally rejected.
>
> Any hints and comments are welcome.
Both have contradicting things:
1) You can put nic.funet.fi to be your MX without negotiating
about it with me -- thus it is not usable test
[ I might not be happy about it, but that is another thing.. ]
2) Mailinglists ? Alias expansions ?
(Usually (=sendmail) the .forward does not affect MAIL FROM
address.)
We outlined about following coming home from one meeting, and
having beer in train... This is my deeper analysis of the case:
1) If sender IP address is in networks that belong to
our customers ( - that have Smart-Host agreenment with
us), accept the message [ network in CIDR sense; anything
from single IP address to "A"-supernets ]
2) If sender's MAIL FROM has domain address (or address suffix)
matching our customers, accept the message
[ fake protection: domain suffix, sender addresses must match! ]
[ fake protection fault: .forward ! -- SPAM-protection is
seriously hard problem! ]
3) If recipient address has matching in above manner, accept the
recipient address
4) If recipient address does not match in above manner, OPTIONALLY
reject the recipient address (alternate: log the data)
5) If no recipient address were accepted, reject the message
( address rejection is optional, but if all addresses are
rejected, the message must be rejected too! )
Opt6) Reject relaying to non-local addresses
Opt7) Reject !%@-kludge addresses
This must be table-driven to be able to handle the real set of
accepted sources/destinations. It CAN'T use MX-data! :-(
Problems surface at keeping that table up to date, among others..
> --
> E-mail: Matus.Uhlar@tuke.sk WWW: http://ccsun.tuke.sk/users/uhlar
> IRC: fantomas, TALK: uhlar@ccnews.ke.sanet.sk
> ...and if you think I'm talking for my employer, you're wrong...
/Matti Aarnio <mea@nic.funet.fi> <matti.aarnio@tele.fi>
...I have 6 levels of bosses above me, they speak for the employer...