At 04:43 AM 2/14/98 GMT, Jerry Trowbridge wrote:
>I have seen none of this...and I can't imagine what is prompting those
>messages.
The problem is this: DNS for domainx.com says host.foo.net is an MX, but
host.foo.net isn't internally configured to recognize "domainx.com" as a
domain is can accept. This happens more frequently than it should because
sometimes those with DNS control over domainx.com and those with mail
configuration control over host.foo.net aren't the same people or don't
communicate effectively. Or sometimes they are the same people, and they
simply don't keep it straight.
A less error-prone solution to this problem would be to allow mail daemons
to trust DNS, and if they're listed as an MX for a domain, accept the mail.
If they're the best-preference MX, treat the mail as local. If they're
not best-preference, accept it and queue it for the best-preference. That
way mail administrators wouldn't have to maintain lists of domains they are
local for, and domains they are backup-MX for.
The threat? People say this could be used to get around anti-spam
anti-relay measures, but I just don't see that. Someone could configure
their DNS to list your system as a backup MX without your knowlege, but
that same capability can't be used by a spammer when they're sending to
domains they don't have DNS control over.
It's not a panacea, but for some administrators it'd be a good solution.
Keeping an eye on relayed mail volume vs. local mail volume would be
adequate to make sure you're not being abused.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Optimism is a strategy for making brian@apache.org
a better future." - Noam Chomsky brian@hyperreal.org
References:
|
|
