Browsing through this thread, it looks like another important
scenario has not been considered yet sufficiently: asymmetric
SMTP routing.
Am analysis of the sub-cases detailed below show that all flavors
of EHLO / DNS based authentication discussed recently will not work
in practise.
Two possible cases:
(1) company1.big.example operates distinct inbound and outbound MTAs
- all outbound mail from within company1 is sent to the public
Internet by outbound-mail-gw-{1..n}.company1.big.example ;
such servers do not accept inbound SMTP/SUBMISSION connections
from the public Internet;
- the MX records for company1.big.example point to
inbound-mail-gw-{1..m}.company1.big.example ;
such servers never originate mail to the public Internet.
Typically, all these servers are operated in a DMZ and interface
to the site-local mail backbone system through a firewall; the
latter system manages the <local-part> namespace of company1's
mailbox addresses.
(2) company2.small.example operates an on-site MTA behind a NAT,
but makes use of external (ISP provided) mail services, e.g.
for spam filtering/deletion, virus scanning, resilience
against CPE link downtime, etc.
- all outbound mail from within company2 is sent to the public
Internet directly from mail-gw.company2.small.example ;
- the MX records for company2.small.example point to inbound
MTAs at the ISP, say {pri|sec}-mail.isp2.example ;
after processing and buffering, the remaining messages are
forwarded from the final processing stage (via forwarding rules)
to mail-gw.company2.small.example , which (via preconfigured NAT
mapping and filtering) only accepts inbound SMTP connections
from these systems.
Experience has proven that this configuration is particularly
useful if company2's access link is not a permanent connection,
e.g. a dialup link, where the customer facing ISP systems have
to trigger an ISDN callback from the CPE access router for mail
delivery to company2's site; this configuration may save a lot
of (dial-up line and traffic volume based) costs by avoiding
both polling for new mail and delivery of high-rate spam.
Note: Using non-standard means at the ISP, this may work even
with dynamic IP addresses for the customers.
In both cases, outbound mail is never originated from the systems
listed in MX records for the customer in the public DNS; inbound
EXPN and VRFY to the outbound MTAs are 'prohibited by architecture'
(no policy needs to be configured); the MTA that "oversees" the
<local-part> of site-local mailboxes is not reachable from the
public Internet.
Kind regards,
Alfred.
--
+------------------------+--------------------------------------------+
| TR-Sys Alfred Hoenes | Alfred Hoenes Dipl.-Math., Dipl.-Phys. |
| Gerlinger Strasse 12 | Phone: (+49)7156/9635-0, Fax: -18 |
| D-71254 Ditzingen | E-Mail: ah(_at_)TR-Sys(_dot_)de
|
+------------------------+--------------------------------------------+