>2) Secondary MX host improperly accepts mail that should be rejected.
nope. Secondary MX is in "relay for domains" mode, but its a controlled
relay. It doesn't know about users, only domains. It will not be looking
at (maybe bogus) recipient@ part, but only the @recipientdomain part.
>Primary MX host then relays due to inherent trust relationship between
>the two.
"inherent trust" ain't no such thing be MX hosts
>this is BAD
this is called "the percent hack". IMGate can be set to reject it, even as
an MX relay.
>-----------
>
>me%external.com is on an outside host that we shouldn't be relaying for,
>yet it is receiving this mail.
no you aren�t, secondary MX is relaying for @munged.com.
> As a result we've been listed in orbz.org
>:(
when the second MX relays it to primary, primary will reject it as unknown
user, bouncing it back to the envelope sender <[EMAIL PROTECTED]>.
>Note that the primary server will reject [EMAIL PROTECTED] if
>sent directly to it.
>
>This sucks :(
yep, it sucks. But when relay-test mail bounces back to orbz, as the
primary MX should do, orbz should not blackhole anybody, since their is no
open relay anywhere.
A lot of us in the IMGate list don't use ORBZ, too many false positives,
which is what yours is.
show orbz your logs that the orbz test msg was bounced back to them, and
there is no open relay anywhere.
Len
http://MenAndMice.com/DNS-training
http://BIND8NT.MEIway.com : ISC BIND 8.2.4 for NT4 & W2K
http://IMGate.MEIway.com : Build free, hi-perf, anti-abuse mail gateways
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
