[Mimedefang] md_check_against_smtp_server and md_graphdefang_log
t.schmidt at phoenixsoftware.de
Tue Mar 26 17:17:40 EDT 2013
Am Di, 26.03.2013, 19:33, kd6lvw at yahoo.com schrieb:
> On Tue, 3/26/13, Tilman Schmidt <t.schmidt at phoenixsoftware.de> wrote:
>> Am 26.03.2013 um 04:35 schrieb kd6lvw at yahoo.com:
>>> If it were to be limited to servers under one's
>> control and enforced as such, the routine would have to
>> obtain the recipient's MX-RRset internally and test all
>> higher priority MTAs; thus it would not need the remote host
>> address parameter. It would determine which host in
>> the MX-RRset it is running on based on the macro variables
>> passed in via the milter interface.
>> That would exclude a lot of useful and legitimate
>> applications. Hint: Not every mail server has an MX RR
>> pointing to it.
> 1) I don't consider sender callbacks useful.
Nor do I. That's not what I was talking about.
> 2) If this is to be used by secondary MXs to test the primary, there will
> be MX records present in the DNS for that domain/hostname label.
Neither is this.
> 3) Forwarding services shouldn't be randomly probing the ultimate
I agree. Such things should be done systematically, not randomly. :-)
Alright, I'll spell it out for you. Here's the scenario:
- You have a so-called groupware server on your internal network, let's
say Microsoft Exchange or Lotus Notes.
- Quite sensibly you do not want to expose the SMTP port of that server
directly to the Internet.
- So you put a *nix relay server in your DMZ which accepts mail from the
outside and forwards it to your groupware server.
- The internal server does not appear in the public DNS at all.
- The relay server has a mailertable entry pointing to the groupware server.
- The relay server runs MIMEdefang to do all sorts of checks on incoming
mail before accepting responsibility for forwarding it.
- One of these checks should be whether the recipient address actually
- The easiest and most reliable way for that is to ask the groupware server.
- The easiest way for that is SMTP call-ahead aka
Now I'm sure you'll find a nit to pick with that approach, but to me it's
quite sensible and time proven, and it would not work if
md_check_against_smtp_server insisted in checking only against servers
with published MX RRs.
More information about the MIMEDefang