Mike,
I couldn't duplicate this on 6.06 (it caught the hack attempt); don't
know if it broke by 7.03, but I did have some follow-up questions
anyway, since your message was not completely clear:
>1) Primary and secondary MX hosts are both configured to relay for
>local addresses only (Using "relay mail for [addresses]") under the
>SMTP security tab.
Sounds good to start.
>2) Secondary MX host improperly accepts mail that should be rejected.
>Primary MX host then relays due to inherent trust relationship
>between the two.
What inherent trust are you referring to? Primary, secondary, tertiary
MXs do not have to have any knowledge of each other, just different
metrics in DNS. Do you mean they trust each other because they are on
the same subnet? If so, please specify.
Generally speaking, since the two MXs have no by-definition
relationship, are you doing something more complex to bring them
together? Do they both actually receive mail for the domain? Or are
you using the backup MX as an SMTP "client" for an upstream primary MX
(using "Send all mail through another mail relay" and giving your
backup a longer retry period than the average origin server or
something), which is not strictly speaking the same as a plain ol'
backup?
Also, when you use the user%domain1@domain2 syntax, remember that it
delivers to the A record for domain2, not the MX, then asks the A to
find the MX for domain2. So if it tries to find domain2 and DNS
discovers that the primary server, or maybe some other web server or
something, is domain2, it will go straight to that IP and ask it to
relay. If that box is set to trust the first box, that'll indeed be a
problem. BUT: on my Imail 6.06 box, this couldn't happen because it
catches the % syntax and checks it against the SMTP Security
settings--if I'm an open relay, it lets me % outside, if I'm relaying
for addresses and the source address isn't on the list, it rejects it
just as if it were a straightforward relay attempt. Maybe this is
something that emerged with Imail 7, and I must admit I'm handicapped
in that I can't test on that version. Do you have version 6 around to
verify that this was missed in regression testing?
Again, I don't really get how or why the backup and primary are
communicating in your config. If they are truly independent, and if,
as you say, the same Telnet session to the primary server is
unsuccessful, that might point to a security mismatch across the
servers or something related to the A/MX records. Maybe you need to
give more info, a munged dig report and Imail and TCP/IP configs.
Also, what about the SMTP log at the moment of relay?
Thanks.
Sandy
3) Both are running latest 7.03
E.G., from an outside IP address if I do this:
$ telnet 10.10.10.1 25
Trying 10.10.10.1...
Connected to 10.10.10.1.
Escape character is '^]'.
220 X1 NT-ESMTP Server mail.munged.com (IMail 7.03 7-1)
ehlo me.outsidedomain.com
250-mail.munged.com says hello
250-SIZE 0
250-8BITMIME
250-DSN
250-ETRN
250 EXPN
mail from:<[EMAIL PROTECTED]>
250 ok
rcpt to:<[EMAIL PROTECTED]>
250 ok its for <[EMAIL PROTECTED]>
data
354 ok, send it; end with <CRLF>.<CRLF>
From: Me <[EMAIL PROTECTED]>
To: You <[EMAIL PROTECTED]>
Subject: relay test
this is BAD
.
250 Message queued
quit
221 Goodbye
Connection closed by foreign host.
-----------
me%external.com is on an outside host that we shouldn't be relaying for,
yet it is receiving this mail. As a result we've been listed in orbz.org
:(
Note that the primary server will reject [EMAIL PROTECTED] if
sent directly to it.
This sucks :(
Mike
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
