[Mimedefang] Mail Admin Question

Kevin A. McGrail KMcGrail at pccc.com
Fri Aug 17 14:08:34 EDT 2012


On 8/17/2012 1:49 PM, David F. Skoll wrote:
> Proficiency at installing Exchange is *inversely* correlated with
> competence.
>> Wow ... where did all this come from?
> Years of customer support for lots of small businesses who use
> Exchange.
Now you missed the perfect snarky moment to tell Jon we were actually 
talking about him.
> Pop quiz: How many Microsoft shops do you know who name all their
> servers with FQDNs ending in ".local" or ".lan"?  How many Microsoft
> Exchange installations do you know that don't reject nonexistent RCPT:
> commands?  (Answer to both questions: Most of them.)
To play devil's advocate, I actually can put a good spin on both of these.

A) Microsoft's Active Directory Domains pre-date the general concept of 
Internet Domains.  When the two got combined it causes a lot of issues 
and especially causes issues when an AD thinks it is named, for example, 
rp.com but isn't authoritative for DNS.

The "correct" solution is to name the server locally rp.local since it 
isn't a real internet domain and then use rp.com in the FQDN for the 
forward facing ports like SMTP.

And to Microsoft's credit, I'm pretty sure this has been in their best 
practices for at least a decade.  I believe starting with SBS 2003 they 
now enforce using .local because that's really for Active Directory.

B) Many people, Microsoft included, consider responding to nonexistent 
RCPT commands as a security vulnerability because it answers whether an 
account is valid or not.  A search of PrivacyOptions and noexpn, novrfy 
will validate that this isn't just Microsoft's position.

So while I agree with your position on #B about email, from a security 
perspective, I can be swayed that knowing acknowledging if an email is 
valid isn't necessarily a good thing.  I choose to do it but only after 
vetting the pros and cons.

Regards,
KAM



More information about the MIMEDefang mailing list