Hi peeps,
I've tried hard to work out a requirement for an additional DNS RR (RMX -
Danisch Draft) for authentication, but can't understand why MXs alone
can't be used. I must be missing something somewhere. Why can't you just
resolve the given envelope sender domain, check all of the MXs hostnames
and see if any of them matches your connecting machine's IP after
resolution to addresses? The hostname could come either from the SMTP
client greeting (helo/ehlo) or the sender domain, and MX resolution could
be recursive (including checks to ensure no infinite recursion). Now, so
long as all possible output relays for a domain are an MX, there's no
problem, right? (Or is this not what happens in the real-world?) Even if
an IP's RDNS resolves to a name completely different of the domain, which
happens for people using DDNS on fast connections to the net (cable/etc),
the solution still works. It just needs coordinated configuration of MTAs
properly (so that ehlo/helo resolves to owner FQDN) and the checking code
which would ensure that a hostname given was stripped to form all possible
domains for checking (ensure that host doesn't get refused if a relay with
the same domain name - EG xyz.example.org checked as example.org).
Anything need clarifying? Please ask. I'll be back when the flames die
down a little and someone has put the idea right out... If my
understanding is messy, please let me know where. :-)
Cheers,
Sabahattin
--
Thought for the day:
The only thing that hurts more than paying income tax
is not having to pay income tax.
Latest PGP Public key? Click:
<mailto:PGPPublicKey(_at_)sabahattin-gucukoglu(_dot_)com>
and send that message as is.
Sabahattin Gucukoglu
Phone: +44 (0)20 7,502-1615
Mobile: +44 (0)7986 053399
http://www.sabahattin-gucukoglu.com/
E-mail or MSN Messenger: <mail(_at_)Sabahattin-Gucukoglu(_dot_)com>
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg