[Top] [All Lists]

Re: How to mark domains that do / do not wish to receive email

2008-03-28 10:31:21

    turning off smtp service to a domain == NOT an email domain.
    forcing SMTP to require DNS lookups indicates that any one
    who can hijack the DNS data can redirect your DNS lookups
    to someplace that does SMTP w/o your permission and can
    do all sorts of nastiness.

    do you want one attack vector or two?

      What's the difference between "MX 0 ." and "MX 0 badhost"?

      I don't believe codifying "MX 0 ." changes the threat level.

Given that some widely deployed MTAs already support the . convention, if
anything it lowers it. If the convention changes those MTAs will likely
require a code change.

There are also MTAs that independent of any built in checks have a hook
to allow additional checks to be done per-site (ours is one of these).
Such an MTA can be configured to support any new convention we come up
with, but now we're depending on people deploying things to Do the Right
Thing, at least until once again coding changes can be made.


<Prev in Thread] Current Thread [Next in Thread>