At 06:07 2/4/2004, Gustavo Galvan wrote: >El Mar 03 Feb 2004 07:57, Terry L Fritts escribi=F3: > > Tuesday, February 3, 2004 you wrote: > > CF> This is not good since many domains don't allways have complete A > > CF> or =3D cname records for all of they sending computers (mta ou mua) > > CF> ... Remember many legitimate mail can come indirectly from > > CF> firewalls and =3D proxies shared by customers at isp level, and the > > CF> isp don't allways add a =3D record for each domain handled by the > > CF> firewall ... so you test will fail !! > > > > Yes, I agree with Gustavo. There are many reasons why mail would > > come from an ip with no A record: proxies, firewalls, gateways, > > and probably others. > > > > There are also reasons why a server would not have an mx record. > > For one thing it might not be a mail server in the case of > > firewalls and proxies. For another there is good reason to not > > list a sending only smtp server as an MX if you do not want > > incoming mail or if there are no mail boxes. I want to toss out here that there are two separate conditions for receiving mail at a mail server - outbound mail (MUA senders) and inbound mail (MTA transfers).
It is not usually possible to apply the same rules to MUA senders as it is to MTA senders - the MUA senders need a more relaxed set of conditions (being able to send from hosts with no MX records, no PTR records, etc), while MTA transfers should be much more restrictive (should have PTR records, MAIL FROM domains should resolve and have MX records, etc). You should clarify which side of the equation you are talking about above. If you're talking solely about MUA senders, then I agree with most of what you said. However, if you're talking about MTA transfers, that's a different story. I also would note that most MUA senders *should* be authenticated - this prevents unauthorized use of your mail server. For those senders who can't be authenticated (such as firewalls and proxy servers not supporting SMTP AUTH), a local addition to smtprelay.tab will allow them to send, and local whitelisting of the address will allow them to bypass the MTA transfer checks. The reason for the dichotomy is that MUA senders are assumed to be "trusted" - ie. they're not trying to abuse your server (at least, hopefully). MTA transfers are inherently "untrusted" - you have no idea who is sending the mail nor where it originated, and hence it should be subject to much more stringent checks. - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
