Adrian Ho <[EMAIL PROTECTED]> writes:
> On Sun, Sep 16, 2001 at 04:29:41AM -0400, Scott Gifford wrote:
> > Here's a patch I used on a qmail system I used to run which ran behind
> > a NAT load balancer. It solves a problem qmail has when it doesn't
> > know all of the IP addresses that connect to it.
>
> Not to belittle your effort, but qmail isn't the only thing that can
> break under such circumstances. /Any/ app running on a server behind a
> NAT box that doesn't get its own address back on a query may break when
> it tries to use that address for whatever purpose.
In my experience, most services have no trouble with such a
configuration. Mail delivery happens to be one that does, requiring
the MTA to take special care. Postfix and sendmail handles this by
looking at the EHLO/HELO response line, and assuming a loop if their
own name shows up there. qmail doesn't handle it well, which is why I
wrote the patch.
> The problem the OP faced is, strictly speaking, a DNS misconfiguration
> (or lack of configuration, perhaps). I've lost count of the number of
> clients who've encountered similar problems with MTAs and other apps,
> that magically disappeared when I inserted a DNS map (or server, in some
> case) that handed back the proper IPs.
Proper DNS configuration doesn't solve all of the mail loop issues.
Because the entire DNS isn't under the control of one person, it's
easy for somebody to, deliberately or accidentally, use your external
IP address as the MX record for a domain. When your server receives
messages addressed to this domain, it will get in a tight loop and
suck up all of your CPU cycles. If you end up with many such
messages, such as a blast of SPAM, it can wreak serious havoc; havoc
is doubled if the bounce message goes to the same domain.
This may seem like an unlikely scenario, but if you're handling very
many domains, it's easy for modifications of locals and MX records to
get out of sync, particularly if the DNS isn't under your control. A
domain that was accidentally removed from locals nearly quadrupled the
load on a 25 server qmail farm I used to operate, which inspired this
patch.
It's also easy to argue that adding some IP addresses to a file is
less work than designing and implementing split DNS. :)
-----ScottG.
