Thomas,
I don’t think it’s clear to you how I have setup ASSP in some configs.
When ASSP is used in the normal way there is no problem. ASSP is proxying for a
domain which has all the domains and users.
No problem there. Not even the need to have LDAP.
The MTA refuses the mail from unknown domains and no NDR’s are sent
(non-delivery reports)
I also have a setup with ASSP and Sendmail behind it.
Although Sendmail knows all the domains it should be relaying for, it doesn’t
know any users.
It has a mailertable and accepts all mail for all domain it’s relaying for and
sends it to the appropriate mailserver.
Those mailservers only listens to Sendmail and are foreign. We want to give the
admins of these mailservers instructions that are as simple as possible.
We could instruct them to grant VRFY commands. Not a problem because that MTA
isn’t listening to the world anyhow.
If ASSP gets a mail for a certain user on a certain domain it could check the
enduser-MTA with a VRFY-command and if it gets an explicit fail from that MTA,
it should not accept the mail. Now there’s no need to send an NDR, because the
message is not accepted. More importantly…. less backscatter.
A VRFY from a foreign MTA should of course not be passed to the enduser-MTA as
it would honour it with a legitimate answer.
For all thisto work, ASSP needs to have the same info which I have in the
mailertable (/etc/mail/mailertable)
It would be nice if it’s the same syntax so a cronjob could keep those 2 files
in sync.
There’s also another possibility….
The Sendmail behind the proxy could be configured to accept “based on mx”.
This means that mail for all domains is accepted as long as the recipients
domain’s MX points to Sendmail. That domain has a 2nd MX-record, but that
points to the enduser-MTA. That MTA can only accept mail from Sendmail.
Some big ISP’s have this system working, but without the VRFY option.
These ISP’s relay all mail to their clients and they generate a lot of
backscatter…..
So a mail comes in for [EMAIL PROTECTED]
acme.com has 2 MX-records
mail.acme.com priority 10
mail.provider.com priority 50
Sendmail is running on mail.provider.com and it is accepting mail for acme.com
because its own domain (mail.provider.com) is in the MX-records of acme.com.
This is a normal fallback-setup with sendmail. No mail is accepted by
mail.acme.com because it has port 25 closed for the world. Not for
mail.provider.com.
Some ISP’s block those ports even. If ASSP could use the same mechanism as
sendmail is using and send a VRFY to mail.acme.com, it could refuse the mail at
“the gate” and not let it get in between mail.provider.com and mail.acme.com.
The enduser doesn’t have to do a lot to implement it
· Create a 2nd MX-record mail.provider.com
· Block port 25 for the world except mail.provider.com (this can be
done by the ISP)
· Optionally honour VRFY-requests to prevent non-local mail from
getting past ASSP
You could have everything “configured in DNS”.
When VRFY-requests aren’t honoured it should accept all the mail.
This setup is working great...
Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Thomas Eckardt/eck
Verzonden: zaterdag 14 juni 2008 9:58
Aan: ASSP development mailing list
Onderwerp: [Assp-test] Antwort: Re: Verifying recipients
>If this gets implemented it would be nice if the MTA that gets the VRFY could
>be different than the MTA for which it is proxying...
The simple way:
- there is a MTA behind ASSP, with all recipient informations : so let the MTA
do the work (the recipient verification - also VRFY) - set (ASSP)- MaxError to
3, to prevent dictionary harvesting - thats all
The other way:
- there is a MTA behind ASSP, without any recipient information : at this time
you need a flatfile or LDAP - or - checking the recipient with VRFY on an other
MTA than we are proxying, will cause to following:
C1: connect
S1: 220 domain ready to do work
C2: helo
S2: 250 OK
C3: mailfrom:<...>
S3:250 OK
C4:rcpt to:<...> - this command we have to capture
- now we have to open a new SMTP-connection to the VRFY-MTA, and we have to do
the same like above with him (C1 to S3)
VC1......VS3
VC4 VRFY <...>
VS4 550/250
VC4 QUIT - we have to do the QUIT, because we do not know what the next
client (C5:) request would be (rcpt to or DATA or any other)
VS5 421 closing channel
- depending on the answer VS4: we are now sending the captured C4:rcpt
to:<...> to our real MTA - or we are sending
S4: 550 - to the client
- the next client request could be 'DATA' or an other 'RCPT TO' - which results
in the same procedure like above to verify the recipient
There is nothing wrong to do it this way(it's only hard to code), but there are
a lot of unanswered questions: what to do if:
- the VRFY-MTA is unreachable
- the VRFY-MTA is slow an we are running in to timeouts on the primary
connection
- the connection to the VRFY-MTA is broken in the middle
.....
- to handle all possible exceptions is the real problem to do it this way
I do not see a way to implement such a VRFY - but maybe Fritz has another
opinion!
>Yes, but LDAP is not trivial to set up.
Setting up LDAP is much more trivial as setting up ASSP !
>This is something I need to prevent backscatter....
We are working on a solution to prevent backscatter - based on MessageID
tracking - but this will take some time!
Thomas
Jean-Pierre van Melis <[EMAIL PROTECTED]>
Gesendet von: [EMAIL PROTECTED]
13.06.2008 13:57
Bitte antworten an
ASSP development mailing list <[email protected]>
An'ASSP development mailing list' <[email protected]>
Kopie
ThemaRe: [Assp-test] Verifying recipients
If this gets implemented it would be nice if the MTA that gets the VRFY could
be different than the MTA for which it is proxying...
I'm thinking of a domaintable with the IP of the proxy (like the mailertable of
Sendmail)
In such a setup you can have Sendmail behind ASSP and let ASSP verify the user
on the MTA which it has in the mailertable. Otherwise Sendmail has to accept
all mail for each domain it is relaying for.
Because Sendmail has the mailertable already, can sendmail do this already?
This is something I need to prevent backscatter....
Because ASSP is doing a good job, the backscatter is minimal, but still....
Some setups I have working:
ASSP (accepting for specific domains) ====> Sendmail (relaying all mail using
a mailertable) ===> MTA's without MX-records
Another Setup is also nice:
ASSP (accepting all domains) ===> Sendmail with Relay based on MX ===> MTA's
with itself as high priority MX and ASSP low priority and port 25 blocked for
the world except ASSP.
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
DISCLAIMER:
*******************************************************
This email and any files transmitted with it may be confidential, legally
privileged and protected in law and are intended solely for the use of the
individual to whom it is addressed.
This email was multiple times scanned for viruses. There should be no known
virus in this email!
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
Assp-test mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-test
