[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SMTP policy and DNS temporary unavailability
Just a thoughts about proper (for me, of course :-) smtp-policy...
and maybe, somebody will help me to implement it into configs.
smtp-policy.src _logic_ (rules interaction) is still not transparent
I just follow steps mentioned in smtp-policy.src.
1. Connection establishment: (IP address tested)
Just determine "MyClient" or "Non-MyClient". No immediate actions.
Using RBL, etc. is too unpredictable in case of my (poor)
2. HELO/EHLO parameter string:
If MyClient: No any tests. MS-Win home computers _may_ say "HELO
If Non-MyClient: HELO must be an resolvable (either A or MX) FQDN.
NB: reverse DNS comparison with #1 should not be done! Multihomed
hosts and NAT-firewalled senders may exist, that's OK. But some ugly
spammers working from dial-up MS-Win boxes will be rejected with
their "HELO gennady".
3. MAIL FROM address:
Both MyClient and Non-MyClient: FQDN address must be resolvable to
either A or MX. Nobody (including clients) may send mail from
definitely false origin. Surely, existing origin can be false
too, and UUCP is rulezzz forewer :-). And surely, domain expansion
should not be applied: MAIL FROM:<dean@physics> was rejected by our
Technical Univercity relay until these folks configure their
departament mailserver properly. And that's right.
4. RCPT TO address:
If MyClient: accept if address is syntaxically correct and can be
tried for resolving in Router. No any immediate DNS checks should be
done. We must finish dial-up session as fast as possible.
If Non-Myclient: accept if RELAYTARGET. Generally, it does not
require DNS lookups - just own Zmailer database.
For MyClients (determined in #1), no external DNS lookups should
be done at all while SMTP session! Mail must be quickly accepted for
relaying even if our external connectivity is completely broken now.
Actually, in #3 DNS lookup is done; but most of MyClients use
local domains which are reliably resolved inside of the site. Those
who use FROM: @hotmail.com, @mail.ru, etc... operate at their own
risk. That's life.
For Non-MyClients we may use DNS as heavily as we want. First, if
somebody reached us from outside by SMTP, than connectivity is
present. Second, Non-MyCliens _must_ be servers, not dial-up
machines; so, big pauses and 4xx temporary rejections are allowed.
I believe, this model is quite typical for a server being both
inbound and outbound relay for dial-up/SMTP users. And the respective
Zmailer ruleset may be useful for many people. I ask all of you to
help to make it...