[Mimedefang] md_check_against_smtp_server and md_graphdefang_log

ts at phoenixsoftware.de ts at phoenixsoftware.de
Tue Mar 26 17:02:23 EDT 2013 

Am Di, 26.03.2013, 19:33, kd6lvw at yahoo.com schrieb:
> On Tue, 3/26/13, Tilman Schmidt <t.schmidt at phoenixsoftware.de> wrote:
>> Am 26.03.2013 um 04:35 schrieb kd6lvw at yahoo.com:
>> >  If it were to be limited to servers under one's
>> control and enforced as such, the routine would have to
>> obtain the recipient's MX-RRset internally and test all
>> higher priority MTAs; thus it would not need the remote host
>> address parameter.  It would determine which host in
>> the MX-RRset it is running on based on the macro variables
>> passed in via the milter interface.
>>
>> That would exclude a lot of useful and legitimate
>> applications. Hint: Not every mail server has an MX RR
>> pointing to it.
>
> 1)  I don't consider sender callbacks useful.

Nor do I. That's not what I was talking about.

> 2)  If this is to be used by secondary MXs to test the primary, there will
> be MX records present in the DNS for that domain/hostname label.

Neither is this.

> 3)  Forwarding services shouldn't be randomly probing the ultimate
> destinations.

I agree. Such things should be done systematically, not randomly. :-)

Alright, I'll spell it out for you. Here's the scenario:

- You have a so-called groupware server on your internal network, let's
say Microsoft Exchange or Lotus Notes.

- Quite sensibly you do not want to expose the SMTP port of that server
directly to the Internet.

- So you put a *nix relay server in your DMZ which accepts mail from the
outside and forwards it to your groupware server.

- The internal server does not appear in the public DNS at all.

- The relay server has a mailertable entry pointing to the groupware server.

- The relay server runs MIMEdefang to do all sorts of checks on incoming
mail before accepting responsibility for forwarding it.

- One of these checks should be whether the recipient address actually
exists.

- The easiest and most reliable way for that is to ask the groupware server.

- The easiest way for that is SMTP call-ahead aka
md_check_against_smtp_server.

Now I'm sure you'll find a nit to pick with that approach, but to me it's
quite sensible and time proven, and it would not work if
md_check_against_smtp_server insisted in checking only against servers
with published MX RRs.

More information about the MIMEDefang mailing list