On Mon, 12 Sep 2005, David F. Skoll wrote:
Any MX of 127.0.0.1 is not only broken but malicious. However, I'd
expect it to be pretty common to have multiple MX's mixing public
and private targets on the assumption that inside hosts would hit
the working private number and outside hosts would fail and then
connect to the public address. It's a bad assumption, since anyone
else might have a different server at that same private address, but
I'd still guess somebody does it.
I would reject mail from a domain that does that. If I publish
192.168.1.1 as an MX record, all kinds of bad things could happen
if outside senders sent me mail, from mail being bounced to sensitive
information falling into the wrong hands. It's a really dumb idea
to publish MX records that resolve to private addresses.
Exactly. If you need different MX for both inside and outside users, set up
a split DNS. for the inside users, they ask an internal DNS that answers with
the internal IPs. The external users query a public DNS that answers with
public IPs.
It's easy to set up and solves a bunch of problems. There's no excuse for
publishing RFC1918's IPs in a public DNS
Fer
_______________________________________________
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
[email protected]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
