Re: Mal ganz anders: Spam und fitug
On Wednesday 08 October 2003 12:09, Lutz Donnerhacke wrote:
> Beides korreliert nicht. Kristian weist nur auf einen Mißstand hin.
Hier, für die, die members nicht lesen können, den permanent nicht
erreichbaren primary mx der Domain fitug.de.
Das ist eine defekte Konfiguration, selbst dann, wenn milter-sender nicht
eingesetzt wird. Der Autor von milter-sender meint dazu
http://www.snert.com/Software/milter-sender/index.shtml#rfc2821s5p2
There has been some questions raised as to whether or not milter-sender is
conformant with respect to RFC 2821 section 5, paragraph 2, which states:
When the lookup succeeds, the mapping can result in a list of alternative
delivery addresses rather than a single address, because of multiple MX
records, multihoming, or both. To provide reliable mail transmission, the
SMTP client MUST be able to try (and retry) each of the relevant addresses in
this list in order, until a delivery attempt succeeds. However, there MAY
also be a configurable limit on the number of alternate addresses that can be
tried. In any case, the SMTP client SHOULD try at least two addresses.
The first MUST clause is addressed correctly. milter-sender will try the MX
list starting with the lowest preference (the primary MX).
The MAY clause allows the choice of limiting how many servers will be tried,
which milter-sender limits to only the primary MX hosts. In the case of only
one primary MX, milter-sender does make at least two (2) attempts to connect.
If there are multiple primary MX hosts (such as with aol.com or hotmail.com)
milter-sender will attempt to contact the first three primary MX hosts (see
-l option).
The final SHOULD clause is a strong recommendation, but is still optional. It
says milter-sender should try at least two different servers when provided.
However, it is still an option and so milter-sender chooses to talk only with
primary MX hosts.
Now there are legitimate sites that choose to publish in their DNS records to
a primary MX with a public IP address that is never reachable from the public
Internet. While this might solve a local configuration issue, I claim that
this practice is not RFC conformant since a service announced through the DNS
should be available the majority of the time from the public Internet. This
practice forces all SMTP servers to make at least two attempts to connect,
once for the primary that never answers, then to a secondary. Given the
milter-sender design, mail from sites thus configured will be rejected unless
white listed. Alternatively, the -A option can be specified to relax this
restriction.
Es hat sich in der Praxis herausgestellt, daß -A eine dumme Idee ist. Eine
Ausnahme für @fitug.de zu konfigurieren aber nicht. Die Konfiguration der MXe
für die Domain fitug.de ist dennoch kaputt.
Kristian
--
Kristian Köhntopp, NetUSE AG, Dr.-Hell-Straße, D-24107 Kiel
Tel: +49 431 386 435 00, Fax: +49 431 386 435 99
--
To unsubscribe, e-mail: debate-unsubscribe@xxxxxxxxxxxxxx
For additional commands, e-mail: debate-help@xxxxxxxxxxxxxx