[Mimedefang] MX -> 127.0.0.1

Kevin A. McGrail kmcgrail at pccc.com
Mon Oct 24 05:07:40 EDT 2005 

> Sorry, I'm coming a little late to this discussions, but I have
> a few hopefully useful suggestions.

Wow, what a great response, no apologies needed.  I'll go through it point
by point!

> Actually, "use Net::DNS;" should be at the top of your file, it doesn't
need
> to be in a subroutine (in fact, it's better not to). "use" is a compile-
> time statement, not a runtime statement.

>From my perspective, it's really just a coding-standard but understand what
you are saying and will move on.

> So for example, we don't reject
> outright on private IP space in MX records, as long as there are
> other reachable addresses too.

I chose to only check the primary MX because my analysis showed that it was
likely to be a "good" test to get rid of unwanted junk mail.  I also agree
with you and do not personally bounce based on privatized IP usage but I
think I see what you are saying.

> - in case there's no MX record, you can just take the domain itself
>   as a degenerate form of MX host, and look for the A record of that.
>   This behaviour is actually a backward-compatible form of mail sending
>   from before MX records were invented. It's still used occasionally.

I actually allowed this with the implicit acceptance of unchecked answers
but I have added a check for the implicit A record as MX

> - sendmail (and possibly other MTAs) will actually understand this
>   grossly wrong MX record:
>
> example.com.     IN MX 10 12.34.56.78.
>
>   And use the "hostname" there as the IP address. (Of course, if you
>   want your MTA to help fight for a better world, you'd probably want
>   to RST your TCP connection to any loser mailing from such a domain
>   with a christmas tree of death packet. But I digress...)

Technically, DNS handles this as a CNAME which isn't RFC compliant for email
but I'm choosing to follow sendmail's lax interpretation to prevent false
positives.  I believe this will definitely now pass v2 of the check stub.

> - you don't handle domains with mail exchanges only reachable via IPv6.

Since I am implicitly accepting unchecked answers, I believe this is OK.
However, I have no access to IPv6 and no way to work on this.

> - if an MX record doesn't resolve at all, you can also consider it
>   a malicious error (this one is quite common even).

I'm dropping that at a sendmail level and expect others to do so as well.
Therefore, I'm considering a non-resolve as an internal problem or timeout
issue.  Since I set the timeout to only 4 seconds for DNS queries, I aiming
for a shotgun, get a lot of bad guys approach.

> - The domain could be in the form [127.0.0.1], causing your MX lookup
>   to fail (in which case you currently accept).

Can you give me an example email address that has DNS that does this?

> - The domain could even be [IPv6:2222::1234:5678:9abc:def0] (but we
>   currently reject this, it's too obscure).

Can you give me an example email address that has DNS that does this?

> - This specific syntax:

> example.com   IN MX 0 .
>
>   is commonly understood to mean "this domain does not do email at all",
>  So we currently
>   only block on "MX 0 ." when it's the only MX record (or only one in
>   a set of equal preferenced records).

I've implemented a basic check for this, thanks for the detailed info.  I am 
only block if the MX at priority 0 is a period (which translates as blank).

> - We explicitly test for lone hostnames and non-existing TLDs to give
>   understandable error messages. These cases are usually due to
>   incompetence, and the reject messages are actually read by users.

I believe sendmails resolution checks will bounce non-existent TLDs but what
is a lone hostname?

I've started adding error messages so they can be passed back to the user.

> - We test the MX records per preference level, in order. The first set
>   to return an "OK" status aborts the search. At the "most preferred"
>   (lowest-numbered) level, we do allow for private IP space or
>   non-existing hostnames, but the overall check will only succeed if
>   there is another set of lower-preference MX records with valid IP
>   addresses.
>
>   The idea here is that this setup would "commonly work" and we're able
>   to connect back to some MX records to deliver bounces, if any.

If you were to fail on internal network tests, this is the only way to go.

> - Finally, we test inside filter_sender, HOWEVER we don't generate
>   an error until filter_recipient, and we explicitly exclude a few
>   recipients (like abuse@) just in case our logic is wrong or someone
>   really feels they should be able to mail us from a domain with
>   invalid MX records.

Feedback on this code appreciated.  Would especially appreciate email
address that should be used to test the code either in a pass or fail
capacity.

http://www.peregrinehw.com/downloads/MIMEDefang/contrib/check_primary_mx_stub-v2.pl

Regards,
KAM

More information about the MIMEDefang mailing list