Re: [mailop] proper NULL MX behaviour for MTAs?

2016-02-29 Thread John Levine 
In article  you 
write:
>Suresh Ramasubramanian  wrote:
>
>> A domain with a null mx may well originate email
>If they try to do that they will be sad.

RFC 7505 section 4.2 agrees with you.  Section 4.1 suggests using
status code 550 and extended code 5.7.27 when you reject it.

It took more coordination than you might expect to make this match
Klensin's RFC 7404 which defines the new status codes for null MX
rejections.

R's,
John

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] proper NULL MX behaviour for MTAs?

2016-02-29 Thread Tony Finch 
Franck Martin via mailop  wrote:
>
> This could be true but then RFC7505 is recent, so I'm not sure that proper
> MTAs are yet properly behaving. I wonder what sendmail, postfix, exim
> really do?

Exim has treated null MXs as invalid since 2004.
https://www.ietf.org/mail-archive/web/apps-discuss/current/msg11051.html

Tony.
-- 
f.anthony.n.finch    http://dotat.at/
Forties, Cromarty, Forth: Southwest 5 to 7, backing south 6 to gale 8,
occasionally severe gale 9 later. Slight or moderate, becoming rough or very
rough later, occasionally high later in Forties. Rain. Moderate or poor.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] proper NULL MX behaviour for MTAs?

2016-02-29 Thread Tony Finch 
Suresh Ramasubramanian  wrote:

> A domain with a null mx may well originate email

If they try to do that they will be sad.

A lot of MTAs will reject email with a MAIL FROM using a domain that is
invalid according to the DNS, and a null MX counts as invalid for this
purpose.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/
Biscay, Southeast Fitzroy: Northerly backing southwesterly 5 to 7. Moderate or
rough. Fair. Good.

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] proper NULL MX behaviour for MTAs?

2016-02-28 Thread Mark Jeftovic 
My test with postfix yielded:

Status: 5.4.4
Diagnostic-Code: X-Postfix; Name service error for name=abx.ca type=MX:
Malformed or unexpected name server reply


so at least it hard failed.

- mark


On 2016-02-28 12:07 AM, John Levine wrote:
>> What is an MTA supposed to do with a message addressed to a domain with
>> a NULL MX?
> 
> Reject it with a 556 status code and 5.1.10 enhanced status code.  If
> the message was already relayed, return a DSN if it makes sense.  See
> section 4.1.
> 
> You can also feel free to reject mail if the return address has a null
> MX since you can't reply; in that case it's status 550 and 5.7.27.
> 
>> I'm looking at some logs and seeing attempts to deliver email to lots of
>> domains with NULL MX enabled (that have been so for years) and wondering
>> if I can safely mine these logs and add all the originating MTA IPs to
>> an internal RBL.
> 
> That seems reasonable.  Any MTA that tries the A address if you
> publish a null MX (that's "domain MX 0 .") is so broken that it
> deserves to die if it's not already spamware.  There are plenty of
> MTAs that will sit on the message for a week hoping the next time they
> look up the MX it will be different, but I can't recall seeing any
> legitimate MTA for a long time that falls back to A if it finds an MX.
> 
> The RFC is new but the draft was kicking around since 2006, and was
> never controversial.
> 
> R's,
> John
> 

-- 
Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
Company Website: http://easydns.com
Read my blog: http://markable.com
+1-416-535-8672 ext 225

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] proper NULL MX behaviour for MTAs?

2016-02-27 Thread John Levine 
>What is an MTA supposed to do with a message addressed to a domain with
>a NULL MX?

Reject it with a 556 status code and 5.1.10 enhanced status code.  If
the message was already relayed, return a DSN if it makes sense.  See
section 4.1.

You can also feel free to reject mail if the return address has a null
MX since you can't reply; in that case it's status 550 and 5.7.27.

>I'm looking at some logs and seeing attempts to deliver email to lots of
>domains with NULL MX enabled (that have been so for years) and wondering
>if I can safely mine these logs and add all the originating MTA IPs to
>an internal RBL.

That seems reasonable.  Any MTA that tries the A address if you
publish a null MX (that's "domain MX 0 .") is so broken that it
deserves to die if it's not already spamware.  There are plenty of
MTAs that will sit on the message for a week hoping the next time they
look up the MX it will be different, but I can't recall seeing any
legitimate MTA for a long time that falls back to A if it finds an MX.

The RFC is new but the draft was kicking around since 2006, and was
never controversial.

R's,
John

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] proper NULL MX behaviour for MTAs?

2016-02-27 Thread Michael Wise 
I'm no expert on Exchange ... Only the filtering in our service. It should be 
checked out. I'll see if I can wave the RFC under some noses...

Next week.

Aloha,
Michael.
--
Sent from my Windows Phone

From: Suresh Ramasubramanian<mailto:ops.li...@gmail.com>
Sent: ‎2/‎27/‎2016 8:12 PM
To: Michael Wise<mailto:michael.w...@microsoft.com>
Cc: Franck Martin<mailto:fmar...@linkedin.com>; Mark 
Jeftovic<mailto:mar...@easydns.com>; mailop<mailto:mailop@mailop.org>
Subject: Re: [mailop] proper NULL MX behaviour for MTAs?

If there's an nxdomain for mx sendmail etc will fall back to the A - not to my 
knowledge if there's just a servfail

No idea about exchange, you should be the expert on that, Mike

--srs

On 28-Feb-2016, at 9:39 AM, Michael Wise 
<michael.w...@microsoft.com<mailto:michael.w...@microsoft.com>> wrote:

And Exchange.

Aloha,
Michael.
--
Sent from my Windows Phone

From: Franck Martin via mailop<mailto:mailop@mailop.org>
Sent: ‎2/‎27/‎2016 7:39 PM
To: Mark Jeftovic<mailto:mar...@easydns.com>
Cc: Suresh Ramasubramanian<mailto:ops.li...@gmail.com>; 
mailop<mailto:mailop@mailop.org>
Subject: Re: [mailop] proper NULL MX behaviour for MTAs?



On Sat, Feb 27, 2016 at 7:23 PM, Mark Jeftovic 
<mar...@easydns.com<mailto:mar...@easydns.com>> wrote:

On 2016-02-27 9:59 PM, Suresh Ramasubramanian wrote:
> A domain with a null mx may well originate email but will absolutely not 
> receive email - so mail gets trashed at your end as well without staying 
> endlessly on your mall queues
>
> You can possibly correlate that mx with the behavior of domains that are 
> sending you mail.. Though a domain rather than IP bl may make sense.
>

Sorry, I realized after I sent that I needed to clarify that what I'm
observing are MTAs attempting to deliver email to addresses at IP of the
A record for the domain, ignoring the presence of its NULL MX.

So the originating MTAs are ignoring the NULL MX and attempting to
deliver to the A hostname, leading me to surmise they are spambots or
zombies.

This could be true but then RFC7505 is recent, so I'm not sure that proper MTAs 
are yet properly behaving. I wonder what sendmail, postfix, exim really do?
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] proper NULL MX behaviour for MTAs?

2016-02-27 Thread Michael Wise 
And Exchange.

Aloha,
Michael.
--
Sent from my Windows Phone

From: Franck Martin via mailop<mailto:mailop@mailop.org>
Sent: ‎2/‎27/‎2016 7:39 PM
To: Mark Jeftovic<mailto:mar...@easydns.com>
Cc: Suresh Ramasubramanian<mailto:ops.li...@gmail.com>; 
mailop<mailto:mailop@mailop.org>
Subject: Re: [mailop] proper NULL MX behaviour for MTAs?



On Sat, Feb 27, 2016 at 7:23 PM, Mark Jeftovic 
<mar...@easydns.com<mailto:mar...@easydns.com>> wrote:

On 2016-02-27 9:59 PM, Suresh Ramasubramanian wrote:
> A domain with a null mx may well originate email but will absolutely not 
> receive email - so mail gets trashed at your end as well without staying 
> endlessly on your mall queues
>
> You can possibly correlate that mx with the behavior of domains that are 
> sending you mail.. Though a domain rather than IP bl may make sense.
>

Sorry, I realized after I sent that I needed to clarify that what I'm
observing are MTAs attempting to deliver email to addresses at IP of the
A record for the domain, ignoring the presence of its NULL MX.

So the originating MTAs are ignoring the NULL MX and attempting to
deliver to the A hostname, leading me to surmise they are spambots or
zombies.

This could be true but then RFC7505 is recent, so I'm not sure that proper MTAs 
are yet properly behaving. I wonder what sendmail, postfix, exim really do?
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] proper NULL MX behaviour for MTAs?

2016-02-27 Thread Franck Martin via mailop 
If a domain is telling me it does not accept emails, why should I accept
mail from such domain if I cannot reply back to it?

On Sat, Feb 27, 2016 at 6:59 PM, Suresh Ramasubramanian  wrote:

> A domain with a null mx may well originate email but will absolutely not
> receive email - so mail gets trashed at your end as well without staying
> endlessly on your mall queues
>
> You can possibly correlate that mx with the behavior of domains that are
> sending you mail.. Though a domain rather than IP bl may make sense.
>
> --srs
>
> > On 28-Feb-2016, at 8:07 AM, Mark Jeftovic  wrote:
> >
> >
> > What is an MTA supposed to do with a message addressed to a domain with
> > a NULL MX?
> >
> > RFC 7505 talks about domains with a NULL MX should not originate email
> > (in their sender envelopes, etc) but what about the converse?
> >
> > I'm looking at some logs and seeing attempts to deliver email to lots of
> > domains with NULL MX enabled (that have been so for years) and wondering
> > if I can safely mine these logs and add all the originating MTA IPs to
> > an internal RBL.
> >
> > I think I can. I think I will.
> >
> > - mark
> >
> > --
> > Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
> > Company Website: http://easydns.com
> > Read my blog: http://markable.com
> > +1-416-535-8672 ext 225
> >
> > ___
> > mailop mailing list
> > mailop@mailop.org
> > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] proper NULL MX behaviour for MTAs?

2016-02-27 Thread Mark Jeftovic 

On 2016-02-27 9:59 PM, Suresh Ramasubramanian wrote:
> A domain with a null mx may well originate email but will absolutely not 
> receive email - so mail gets trashed at your end as well without staying 
> endlessly on your mall queues 
> 
> You can possibly correlate that mx with the behavior of domains that are 
> sending you mail.. Though a domain rather than IP bl may make sense.
> 

Sorry, I realized after I sent that I needed to clarify that what I'm
observing are MTAs attempting to deliver email to addresses at IP of the
A record for the domain, ignoring the presence of its NULL MX.

So the originating MTAs are ignoring the NULL MX and attempting to
deliver to the A hostname, leading me to surmise they are spambots or
zombies.

- mark

> --srs
> 
>> On 28-Feb-2016, at 8:07 AM, Mark Jeftovic  wrote:
>>
>>
>> What is an MTA supposed to do with a message addressed to a domain with
>> a NULL MX?
>>
>> RFC 7505 talks about domains with a NULL MX should not originate email
>> (in their sender envelopes, etc) but what about the converse?
>>
>> I'm looking at some logs and seeing attempts to deliver email to lots of
>> domains with NULL MX enabled (that have been so for years) and wondering
>> if I can safely mine these logs and add all the originating MTA IPs to
>> an internal RBL.
>>
>> I think I can. I think I will.
>>
>> - mark
>>
>> -- 
>> Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
>> Company Website: http://easydns.com
>> Read my blog: http://markable.com
>> +1-416-535-8672 ext 225
>>
>> ___
>> mailop mailing list
>> mailop@mailop.org
>> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

-- 
Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
Company Website: http://easydns.com
Read my blog: http://markable.com
+1-416-535-8672 ext 225

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

Re: [mailop] proper NULL MX behaviour for MTAs?

2016-02-27 Thread Suresh Ramasubramanian 
A domain with a null mx may well originate email but will absolutely not 
receive email - so mail gets trashed at your end as well without staying 
endlessly on your mall queues 

You can possibly correlate that mx with the behavior of domains that are 
sending you mail.. Though a domain rather than IP bl may make sense.

--srs

> On 28-Feb-2016, at 8:07 AM, Mark Jeftovic  wrote:
> 
> 
> What is an MTA supposed to do with a message addressed to a domain with
> a NULL MX?
> 
> RFC 7505 talks about domains with a NULL MX should not originate email
> (in their sender envelopes, etc) but what about the converse?
> 
> I'm looking at some logs and seeing attempts to deliver email to lots of
> domains with NULL MX enabled (that have been so for years) and wondering
> if I can safely mine these logs and add all the originating MTA IPs to
> an internal RBL.
> 
> I think I can. I think I will.
> 
> - mark
> 
> -- 
> Mark Jeftovic, Founder & CEO, easyDNS Technologies Inc.
> Company Website: http://easydns.com
> Read my blog: http://markable.com
> +1-416-535-8672 ext 225
> 
> ___
> mailop mailing list
> mailop@mailop.org
> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop

___
mailop mailing list
mailop@mailop.org
https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop