[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: mx checking ?



[ The original message duplicated when transmiting from Matus' machine
  to nic.funet.fi -- likely a strategically occurred IP routing breakdown
  where nic got ending dot, but sender didn't get its ack..   The only
  problem in SMTP that has no solution :-/ ]

> Hello,
> 
> I thought if zmailer can check for MX in more ways...

	I think I mentioned this a while back as something
	my employers want.

> 1. if local machine is MX for sender or recipient - otherwise somebody is
> trying to send mail via our machine which can be in case of mail spamming.
> The mail can be optionally rejected.
> 
> 2. if remote machine (sender) is mail exchanger for sender. If it is not
> sobebody sent mail via machine which has nothing to do with it probably.
> The mail can be optionally rejected.
>
> Any hints and comments are welcome.

Both have contradicting things:

	1) You can put  nic.funet.fi  to be your MX without negotiating
	   about it with me -- thus it is not usable test
	   [ I might not be happy about it, but that is another thing.. ]

	2) Mailinglists ? Alias expansions ?
	   (Usually (=sendmail) the .forward does not affect MAIL FROM
	    address.)

We outlined about following coming home from one meeting, and
having beer in train...  This is my deeper analysis of the case:

	1)  If sender IP address is in networks that belong to
	    our customers ( - that have Smart-Host agreenment with
	    us), accept the message [ network in CIDR sense; anything
	    from single IP address to "A"-supernets ]
	2)  If sender's MAIL FROM has domain address (or address suffix)
	    matching our customers, accept the message
	    [ fake protection: domain suffix, sender addresses must match! ]
	    [ fake protection fault:  .forward !  -- SPAM-protection is
	      seriously hard problem! ]
	3)  If recipient address has matching in above manner, accept the
	    recipient address
	4)  If recipient address does not match in above manner, OPTIONALLY
	    reject the recipient address (alternate: log the data)
	5)  If no recipient address were accepted, reject the message
	    ( address rejection is optional, but if all addresses are
	      rejected, the message must be rejected too! )
	Opt6) Reject relaying to non-local addresses
	Opt7) Reject !%@-kludge addresses


This must be table-driven to be able to handle the real set of
accepted sources/destinations.    It CAN'T use MX-data!  :-(

Problems surface at keeping that table up to date, among others..

> -- 
>  E-mail: Matus.Uhlar@tuke.sk WWW: http://ccsun.tuke.sk/users/uhlar
>  IRC: fantomas, TALK: uhlar@ccnews.ke.sanet.sk
>  ...and if you think I'm talking for my employer, you're wrong...


/Matti Aarnio <mea@nic.funet.fi> <matti.aarnio@tele.fi>
    ...I have 6 levels of bosses above me, they speak for the employer...