On 2003-08-25 09:13:27 +0100, Sabahattin Gucukoglu wrote:
I've tried hard to work out a requirement for an additional DNS RR (RMX -
Danisch Draft) for authentication, but can't understand why MXs alone
can't be used. I must be missing something somewhere. Why can't you just
resolve the given envelope sender domain, check all of the MXs hostnames
and see if any of them matches your connecting machine's IP after
resolution to addresses?
[...]
Now, so long as all possible output relays for a domain are an MX,
there's no problem, right? (Or is this not what happens in the
real-world?)
It does happen in the real world, and it is probably even the most common
case. But it is not the only case. Some organizations have different
mail servers for incoming and outgoing mail traffic. In this case only
the servers for incoming mail are listed in MX records, but mail always
never comes from those.
Also, you cannot determine from the existence of an MX record that all
mail must come from a certain set of hosts. We have MX records for our
domains, but people working at home are encouraged to use the SMTP
server of their internet provider.
Somebody suggested picking a high priority value (e.g., 54321) to mean
"this is an RMX". This would probably work, but it is a kludge.
hp
--
_ | Peter J. Holzer | Humor ohne Emoticons ist trockener Humor.
|_|_) | Sysadmin WSR |
| | | hjp(_at_)hjp(_dot_)at | -- Toni Grass in aip
__/ | http://www.hjp.at/ |
pgpP7Wh0wfr9p.pgp
Description: PGP signature