Robert LeBlanc wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daryl C. W. O'Shea wrote:
Robert LeBlanc wrote:
Connections arriving on port 25 can be assumed to come from
servers with MX records, so that becomes a testable assumption and a
precondition for connection.
Since when? If I rejected mail on that condition I would never have
received your message.
Are you suggesting that mail.apache.org does not have a MX record
associated with it?
Uh, yeah.
[EMAIL PROTECTED] dos]$ dig mx mail.apache.org | grep ANSWER
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
My point (taken out of context in your quote above) was that /if/ you
segregate your traffic between port 25 and a submission port, such that
all of your client traffic connects and authenticates via the submission
port, /then/ you can tighten the restrictions on your port 25
connections, because all you should be accepting on that port thereafter
is MX-to-MX traffic. Any legitimate client-to-MX traffic should be
going to your submission port.
How was that out of context? You said that if you're only expecting
mail from non-local domains ("MX-to-MX") on port 25 you can reject hosts
if they don't have an MX record. That's not true and that's what I said.
Daryl
