[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SMTP policy and DNS temporary unavailability


Just a thoughts about proper (for me, of course :-) smtp-policy... 
and maybe, somebody will help me to implement it into configs. 
smtp-policy.src _logic_ (rules interaction) is still not transparent 
for me.

I just follow steps mentioned in smtp-policy.src.

1. Connection establishment:  (IP address tested)

Just determine "MyClient" or "Non-MyClient". No immediate actions. 
Using RBL, etc. is too unpredictable in case of my (poor) 

2. HELO/EHLO parameter string:

If MyClient: No any tests. MS-Win home computers _may_ say "HELO 

If Non-MyClient: HELO must be an resolvable (either A or MX) FQDN. 
NB: reverse DNS comparison with #1 should not be done! Multihomed 
hosts and NAT-firewalled senders may exist, that's OK. But some ugly
spammers working from dial-up MS-Win boxes will be rejected with 
their "HELO gennady".

3. MAIL FROM address:

Both MyClient and Non-MyClient: FQDN address must be resolvable to 
either A or MX. Nobody (including clients) may send mail from 
definitely false origin. Surely, existing origin can be false 
too, and UUCP is rulezzz forewer :-). And surely, domain expansion 
should not be applied: MAIL FROM:<dean@physics> was rejected by our 
Technical Univercity relay until these folks configure their 
departament mailserver properly. And that's right.

4. RCPT TO address:

If MyClient: accept if address is syntaxically correct and can be 
tried for resolving in Router. No any immediate DNS checks should be 
done. We must finish dial-up session as fast as possible.

If Non-Myclient: accept if RELAYTARGET. Generally, it does not 
require DNS lookups - just own Zmailer database.

5. Resume.

For MyClients (determined in #1), no external DNS lookups should 
be done at all while SMTP session! Mail must be quickly accepted for 
relaying even if our external connectivity is completely broken now.
Actually, in #3 DNS lookup is done; but most of MyClients use 
local domains which are reliably resolved inside of the site. Those 
who use FROM: @hotmail.com, @mail.ru, etc... operate at their own 
risk. That's life.

For Non-MyClients we may use DNS as heavily as we want. First, if 
somebody reached us from outside by SMTP, than connectivity is 
present. Second, Non-MyCliens _must_ be servers, not dial-up 
machines; so, big pauses and 4xx temporary rejections are allowed.

I believe, this model is quite typical for a server being both 
inbound and outbound relay for dial-up/SMTP users. And the respective 
Zmailer ruleset may be useful for many people. I ask all of you to 
help to make it...