[Mimedefang] Mail Admin Question

[David F. Skoll]

On Fri, 17 Aug 2012 14:08:34 -0400
"Kevin A. McGrail" <KMcGrail at pccc.com> wrote:

> A) Microsoft's Active Directory Domains pre-date the general concept
> of Internet Domains.  When the two got combined it causes a lot of
> issues and especially causes issues when an AD thinks it is named,
> for example, rp.com but isn't authoritative for DNS.

> The "correct" solution is to name the server locally rp.local since
> it isn't a real internet domain and then use rp.com in the FQDN for
> the forward facing ports like SMTP.

Umm... no.  The correct solution would be to fix AD so it doesn't get
confused by accurate Internet FQDNs.  If AD is confused by them, then
it's a design problem with AD.  Naming machines "rp.local" is a truly
horrible workaround.

> B) Many people, Microsoft included, consider responding to
> nonexistent RCPT commands as a security vulnerability because it
> answers whether an account is valid or not.

Right.  So it's better to generate DSNs and get yourself blacklisted
for backscatter?

> A search of PrivacyOptions and noexpn, novrfy will validate that
> this isn't just Microsoft's position.

noexpn and novrfy disable the EXPN and VRFY SMTP commands respectively.
They do not disable Sendmail's internal checking of the validity of
a RCPT To: address.

> So while I agree with your position on #B about email, from a
> security perspective, I can be swayed that knowing acknowledging if
> an email is valid isn't necessarily a good thing.  I choose to do it
> but only after vetting the pros and cons.

IMO, there are no cons whatsoever to validating RCPT To: commands and huge
cons if you *don't* do it.

In fact, on our hosted service, we refuse to host domains that don't have some
way to validate RCPT To: addresses.

Regards,

David.