<<< Date Index >>>     <<< Thread Index >>>

Re: Mal ganz anders: Spam und fitug



On Wednesday 08 October 2003 12:09, Lutz Donnerhacke wrote:
> Beides korreliert nicht. Kristian weist nur auf einen Mißstand hin. 

Hier, für die, die members nicht lesen können, den permanent nicht 
erreichbaren primary mx der Domain fitug.de.

Das ist eine defekte Konfiguration, selbst dann, wenn milter-sender nicht 
eingesetzt wird. Der Autor von milter-sender meint dazu

http://www.snert.com/Software/milter-sender/index.shtml#rfc2821s5p2

There has been some questions raised as to whether or not milter-sender is 
conformant with respect to RFC 2821 section 5, paragraph 2, which states: 

When the lookup succeeds, the mapping can result in a list of alternative 
delivery addresses rather than a single address, because of multiple MX 
records, multihoming, or both. To provide reliable mail transmission, the 
SMTP client MUST be able to try (and retry) each of the relevant addresses in 
this list in order, until a delivery attempt succeeds. However, there MAY 
also be a configurable limit on the number of alternate addresses that can be 
tried. In any case, the SMTP client SHOULD try at least two addresses. 

The first MUST clause is addressed correctly. milter-sender will try the MX 
list starting with the lowest preference (the primary MX). 

The MAY clause allows the choice of limiting how many servers will be tried, 
which milter-sender limits to only the primary MX hosts. In the case of only 
one primary MX, milter-sender does make at least two (2) attempts to connect. 
If there are multiple primary MX hosts (such as with aol.com or hotmail.com) 
milter-sender will attempt to contact the first three primary MX hosts (see 
-l option). 

The final SHOULD clause is a strong recommendation, but is still optional. It 
says milter-sender should try at least two different servers when provided. 
However, it is still an option and so milter-sender chooses to talk only with 
primary MX hosts. 

Now there are legitimate sites that choose to publish in their DNS records to 
a primary MX with a public IP address that is never reachable from the public 
Internet. While this might solve a local configuration issue, I claim that 
this practice is not RFC conformant since a service announced through the DNS 
should be available the majority of the time from the public Internet. This 
practice forces all SMTP servers to make at least two attempts to connect, 
once for the primary that never answers, then to a secondary. Given the 
milter-sender design, mail from sites thus configured will be rejected unless 
white listed. Alternatively, the -A option can be specified to relax this 
restriction. 


Es hat sich in der Praxis herausgestellt, daß -A eine dumme Idee ist. Eine 
Ausnahme für @fitug.de zu konfigurieren aber nicht. Die Konfiguration der MXe 
für die Domain fitug.de ist dennoch kaputt.

Kristian

-- 
Kristian Köhntopp, NetUSE AG, Dr.-Hell-Straße, D-24107 Kiel
Tel: +49 431 386 435 00, Fax: +49 431 386 435 99


--
To unsubscribe, e-mail: debate-unsubscribe@xxxxxxxxxxxxxx
For additional commands, e-mail: debate-help@xxxxxxxxxxxxxx