Jake Vickers wrote:
Eric Shubert wrote:
I'd like to know if this works, but I don't expect it will.
I believe that chkuser is not finding an MX record for the
backup.mydomain.com domain, and this cannot be specified in the hosts
file. An MX record for backup.mydomain.dom would need to be added to
the authoritative DNS for the mydomain.com domain. While this would
fix the problem, I don't think it's the best solution.
Fixing the problem at its source is preferable. (more on that elsewhere)
Adding an entry to DNS is the correct option. If a host does not have an
MX record, it should not be sending mail. If a host without an MX record
sends out mail, it's assumed that it's compromised and sending spam. I
also believe there is an RFC about this.
Here's a hypothetical scenario:
Bob has 2 servers. He sets one up as an email server and correctly adds
entries to DNS to support this (A record, MX record, PTR record, etc.).
Bob sets the second server up for web hosting, monitoring, whatever.
There is a MTA agent on the system (we'll say Exim), but he never
configured it and does not monitor it. He does however monitor his email
server's logs.
One day, the web server starts sending mail to everyone is can find. Bob
did not intend this server to send any mail, so he never configured DNS
for it to support this (no MX record, no PTR record). It's easy for us
to identify that messages from this server are not desired, since Bob
never configured it in DNS to send mail. How else is the rest of the
world supposed to know what hosts are allowed to send mail, and those
that are not?
Bob opens one of these messages (since he was emailed one, and he
configured his system to accept mail from invalid mail servers with no
MX records) and now has a virus. His home computer is now spewing out
thousands of spam messages a second to everyone in his address book.
Once again, it's easy for us to identify that messages from Bob's
infected home computer are safe to drop since he never set up DNS to let
us know it was intended to send emails (directly).
As email administrators, we have a responsibility to the rest of the
world to set things up correctly. We need to let the rest of the world
know that we want a specific machine to send mail by setting up the
proper structure for it (MX record, PTR record, etc.). Think of the
supporting entries in DNS as the license to send mail, just like you
need a license to drive a car. We trust our systems (legal, DNS,
otherwise) to correctly identify individuals (or machines) to do certain
things (drive, send email, whatever), otherwise we have anarchy and chaos.
I understand that there are exceptions to every rule, and Mike has a
valid exception to the above rules. The correct way for this to occur
would be to set his other system up to authenticate to one of his QMT
servers so it can send mail. Then he only has to manage one thing (DNS
for 1 server). I've posted about a program called "email" in a past post
about crons that would facilitate this.
Failing that, a couple simple config changes in Sendmail should fix this
as well - don't ask me what they are. I only work on Qmail and Postfix
and am assuming that it is easily configurable like Postfix or Qmail.
Just my 2-cents.
While I agree with your position and hypothetical scenario, I don't
believe that adding an MX record for each host is the correct nor best
solution.
I don't see any purpose in adding an MX record for each host that sends
email. An MX record is intended as an indication of where to send mail
for a specific domain (destination), not an indication of 'license to
send' (as you put it). It has nothing to do with a source. (Please cite
an RFC if I'm wrong on this). chkuser simply uses this as a (somewhat
crude) way to verify the validity of the sender's domain, in case a
bounce message would need to be sent later on.
Adding an MX record to allow a host with a default configuration to send
mail is also dangerous and irresponsible. Giving any ol' server that can
send mail by default a 'license to send email' is not (imo) a good
practice. Any server that's sending mail should be properly configured,
which I don't believe most default configurations are.
BL, these servers in question are problematic because their default
configuration is set to use "[email protected]" as the sending
address. While adding an MX record will indeed allow such email to pass
chkuser's filter, this MX record also announces to the world that mail
to host.domain.com is being accepted by the specified server in the DNS
record, which is clearly not the case. I believe that properly
configuring the sending server to authenticate itself, just like
everyone else who submits email, is the best solution.
--
-Eric 'shubes'
---------------------------------------------------------------------------------
Qmailtoaster is sponsored by Vickers Consulting Group
(www.vickersconsulting.com)
Vickers Consulting Group offers Qmailtoaster support and installations.
If you need professional help with your setup, contact them today!
---------------------------------------------------------------------------------
Please visit qmailtoaster.com for the latest news, updates, and packages.
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
