Re: Mail Server Architecture

[Chad M Stewart]

On May 11, 2005, at 8:38 AM, J.C. Roberts wrote:
On Wed, 11 May 2005 02:23:43 -0400, Bruno Delbono
<[EMAIL PROTECTED]> wrote:
Smith wrote:
alerts.  If sendmail has a security alert and OpenBSD is vulnerable,
OpenBSD will let me know pretty quickly.  I don't need to keep track 
of
sendmail alerts, just OpenBSD's.
PS - Maybe someone can teach you mail 101. It's never a good idea to
have a CNAME to be the MX.
confuciun.com.          497     IN      MX      10 mail.confuciun.com.
mail.confuciun.com.     600     IN      CNAME   confuciun.com.

Though the answer is supposedly in "mail 101" or maybe DNS 101, I've
been unable find a decent reason for your statement? I hope you don't
mind the dumb question of "why?"
Historically, looping mail, if I recall correctly.
From RFC 2821
5. Address Resolution and Mail Handling
   Once an SMTP client lexically identifies a domain to which mail will
   be delivered for processing (as described in sections 3.6 and 3.7), a
   DNS lookup MUST be performed to resolve the domain name [22].  The
   names are expected to be fully-qualified domain names (FQDNs):
   mechanisms for inferring FQDNs from partial names or local aliases
   are outside of this specification and, due to a history of problems,
   are generally discouraged.  The lookup first attempts to locate an MX
   record associated with the name.  If a CNAME record is found instead,
   the resulting name is processed as if it were the initial name.  If
   no MX records are found, but an A RR is found, the A RR is treated as
   if it was associated with an implicit MX RR, with a preference of 0,
   pointing to that host.  If one or more MX RRs are found for a given
   name, SMTP systems MUST NOT utilize any A RRs associated with that
   name unless they are located using the MX RRs; the "implicit MX" rule
   above applies only if there are no MX records present.  If MX records
   are present, but none of them are usable, this situation MUST be
   reported as an error.
or from RFC1123
5.2.2  Canonicalization: RFC-821 Section 3.1
         The domain names that a Sender-SMTP sends in MAIL and RCPT
         commands MUST have been  "canonicalized," i.e., they must be
         fully-qualified principal names or domain literals, not
         nicknames or domain abbreviations.  A canonicalized name either
         identifies a host directly or is an MX name; it cannot be a
                 CNAME.

Granted RFC2821 updates 1123, but given all of the legacy MTAs in use, 
if you care about your mail and your users, then you will not use 
CNAMEs in MX records, at least IMHO.

-Chad