[Top] [All Lists]

Re: RFC 5321bis / 2821ter -- DNS based checking

2009-01-28 09:31:21

Browsing through this thread, it looks like another important
scenario has not been considered yet sufficiently: asymmetric
SMTP routing.

Am analysis of the sub-cases detailed below show that all flavors
of EHLO / DNS based authentication discussed recently will not work
in practise.

Two possible cases:

(1)  company1.big.example  operates distinct inbound and outbound MTAs

   - all outbound mail from within company1 is sent to the public
     Internet by  outbound-mail-gw-{1..n}.company1.big.example ;
     such servers do not accept inbound SMTP/SUBMISSION connections
     from the public Internet;

   - the MX records for company1.big.example point to
     inbound-mail-gw-{1..m}.company1.big.example ;
     such servers never originate mail to the public Internet.

     Typically, all these servers are operated in a DMZ and interface
     to the site-local mail backbone system through a firewall; the
     latter system manages the <local-part> namespace of company1's
     mailbox addresses.

(2)  company2.small.example  operates an on-site MTA behind a NAT,
     but makes use of external (ISP provided) mail services, e.g.
     for spam filtering/deletion, virus scanning, resilience
     against CPE link downtime, etc.

   - all outbound mail from within company2 is sent to the public
     Internet directly from  mail-gw.company2.small.example ;

   - the MX records for company2.small.example point to inbound
     MTAs at the ISP, say  {pri|sec}-mail.isp2.example ;
     after processing and buffering, the remaining messages are
     forwarded from the final processing stage (via forwarding rules)
     to mail-gw.company2.small.example , which (via preconfigured NAT
     mapping and filtering) only accepts inbound SMTP connections
     from these systems.

     Experience has proven that this configuration is particularly
     useful if company2's access link is not a permanent connection,
     e.g. a dialup link, where the customer facing ISP systems have
     to trigger an ISDN callback from the CPE access router for mail
     delivery to company2's site; this configuration may save a lot
     of (dial-up line and traffic volume based) costs by avoiding
     both polling for new mail and delivery of high-rate spam.

     Note: Using non-standard means at the ISP, this may work even
     with dynamic IP addresses for the customers.

In both cases, outbound mail is never originated from the systems
listed in MX records for the customer in the public DNS; inbound
EXPN and VRFY to the outbound MTAs are 'prohibited by architecture'
(no policy needs to be configured); the MTA that "oversees" the
<local-part> of site-local mailboxes is not reachable from the
public Internet.

Kind regards,


| TR-Sys Alfred Hoenes   |  Alfred Hoenes   Dipl.-Math., Dipl.-Phys.  |
| Gerlinger Strasse 12   |  Phone: (+49)7156/9635-0, Fax: -18         |
| D-71254  Ditzingen     |  E-Mail:  ah(_at_)TR-Sys(_dot_)de                    

<Prev in Thread] Current Thread [Next in Thread>
  • Re: RFC 5321bis / 2821ter -- DNS based checking, Alfred Hönes <=