On Mon, Aug 25, 2003 at 09:13:27AM +0100, Sabahattin Gucukoglu wrote
Hi peeps,
I've tried hard to work out a requirement for an additional DNS RR (RMX -
Danisch Draft) for authentication, but can't understand why MXs alone
can't be used. I must be missing something somewhere. Why can't you just
resolve the given envelope sender domain, check all of the MXs hostnames
and see if any of them matches your connecting machine's IP after
resolution to addresses? The hostname could come either from the SMTP
client greeting (helo/ehlo) or the sender domain, and MX resolution could
be recursive (including checks to ensure no infinite recursion). Now, so
long as all possible output relays for a domain are an MX, there's no
problem, right? (Or is this not what happens in the real-world?)
Real world example... me. I got my own domain (waltdnes.org) while
changing ISPs. When I realised all the lists I'd have to unsubscribe
from (old address) and resubscribe to (new address) plus all the people
I'd have to notify, I decided to make sure this would be the last time.
The only real guarantee of a "lifetime address" is one's own personal
domain. So here's my situation...
- I live in Toronto, Ontario
- my "connectivity ISP" is IStop.com.
- My email is generally sent from IStop.com's MTA.
- IStop is owned by Ralph Doncaster; actually it's a subsidiary of
DCI (Doncaster Consulting Inc)
- Here's a "dig" on istop.com
; <<>> DiG 9.2.1 <<>> @dci.doncaster.on.ca istop.com any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14615
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 3
;; QUESTION SECTION:
;istop.com. IN ANY
;; ANSWER SECTION:
istop.com. 86400 IN NS dci.doncaster.on.ca.
istop.com. 86400 IN NS ns.istop.com.
istop.com. 86400 IN A 66.11.168.194
istop.com. 86400 IN SOA ns.doncaster.on.ca.
root.doncaster.on.ca. 2003082201 14400 720 604800 86400
istop.com. 86400 IN MX 10 mail.istop.com.
;; AUTHORITY SECTION:
istop.com. 86400 IN NS dci.doncaster.on.ca.
istop.com. 86400 IN NS ns.istop.com.
;; ADDITIONAL SECTION:
dci.doncaster.on.ca. 864 IN A 66.11.168.194
ns.istop.com. 86400 IN A 66.11.168.199
mail.istop.com. 86400 IN A 66.11.168.199
- I usually send my email via smtp.istop.com, but that's not the
primary name of that IP address
[waltdnes(_at_)m450 waltdnes]$ host smtp.istop.com
smtp.istop.com has address 66.11.168.194
[waltdnes(_at_)m450 waltdnes]$ host 66.11.168.194
194.168.11.66.in-addr.arpa domain name pointer dci.doncaster.on.ca.
- Here's sample headers that the list sees coming from me...
Received: from dci.doncaster.on.ca ([66.11.168.194] helo=smtp.istop.com)
by ietf-mx with esmtp (Exim 4.12)
id 19ordy-0002mx-00
for asrg(_at_)ietf(_dot_)org; Mon, 18 Aug 2003 17:34:26 -0400
Received: from waltdnes.org (ip123-165.tor.istop.com [66.11.165.123])
by smtp.istop.com (Postfix) with SMTP id D473A36974
for <asrg(_at_)ietf(_dot_)org>; Mon, 18 Aug 2003 17:34:20 -0400 (EDT)
Received: by waltdnes.org (sSMTP sendmail emulation); Mon, 18 Aug 2003 17:34:19
-0400
The "fun" doesn't end here. My personal domain is registered via
DomainDirect.com. The default MX is in the waltdnes.org domain, but
it's just an alias for a cp.net (Critical Path) MTA, which then
re-directs to the ISP of my choosing. I'm allowed to edit my zone file
(everything except SOA). When South Korea started pounding on me with
multiple Korean-language spams per day, I got annoyed enough to pay for
another account that allows me to personally control DNSbls, etc, and
reject during the SMTP transaction (just after RCPT:). Clss.net allows
me to point my MX record at them. It has to be done that way for DNSbls
to work. So here's the data on my domain...
; <<>> DiG 9.2.1 <<>> @ns1.domaindirect.com waltdnes.org any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26521
;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 3, ADDITIONAL: 4
;; QUESTION SECTION:
;waltdnes.org. IN ANY
;; ANSWER SECTION:
waltdnes.org. 3600 IN MX 10 manson.clss.net.
waltdnes.org. 3600 IN A 216.40.33.117
waltdnes.org. 3600 IN NS ns1.domaindirect.com.
waltdnes.org. 3600 IN NS ns2.domaindirect.com.
waltdnes.org. 3600 IN NS ns3.domaindirect.com.
waltdnes.org. 3600 IN SOA ns1.domaindirect.com.
hostmaster.domaindirect.com. 2084608802 10800 3600 2592000 86400
;; AUTHORITY SECTION:
waltdnes.org. 3600 IN NS ns1.domaindirect.com.
waltdnes.org. 3600 IN NS ns2.domaindirect.com.
waltdnes.org. 3600 IN NS ns3.domaindirect.com.
;; ADDITIONAL SECTION:
manson.clss.net. 148675 IN A 65.211.158.2
ns1.domaindirect.com. 527 IN A 216.40.33.21
ns2.domaindirect.com. 111264 IN A 216.40.33.22
ns3.domaindirect.com. 268 IN A 216.40.33.24
To summarize, here's a real life example...
- mail sent from dci.doncaster.on.ca, HELOing as "smtp.istop.com", both
names have the same IP address
- my MX record is currently manson.clss.net
How would your system handle it ?
--
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg