Am 17.02.2012 00:07, schrieb Tom Hendrikx: > On 16-02-12 23:52, Dipl.-Ing. Juergen Ladstaetter wrote: >> Thank you both very much. That input was very good and I might rethink the >> strategy we're aiming at. Probably active DNS checks and periodic re-checks >> are better to ensure some security. Thanks guys >> > > Checking DNS at input time would still suffice. > > You simply require that domains entered have their MXen pointing to a > predefined set of hosts (your cluster). They might change their own MX > records later on (which will only harm the customer), but ibm.com will > never point to your MXen to your cluster, so no customer can ever enter it. > > As long as you don't allow changing the domain itself without a > re-check, no customer will ever be able to configure a domain that has > MX records not controlled by that same customer. > > Shops that do hosted exchange etc (google, outlook.com) ask you to > (temporarily) add some unique key/identifier to your DNS zone on order > to prove that you actually own the zone (and the MX records). Same > principle, but a bit more work for the customer.
that is what i said from the first moment on
it must not go to postfix
it has verified an rejected at input time and user-input
MUST NEVER be proceeded without verify in any from or
the app is broken by design
simple function in PHP written in 30 seconds
function verify_mail_domain($Adress)
{
$split = explode('@', $Adress);
$mx_failed = 0;
if(!getmxrr($split[1], $mxhosts))
{
usleep(500000);
if(!getmxrr($split[1], $mxhosts))
{
$mx_failed = 1;
}
}
if($mx_failed)
{
$host_ip = gethostbyname($split[1]);
if(empty($host_ip) || $host_ip == $split[1])
{
usleep(500000);
$host_ip = gethostbyname($split[1]);
if(empty($host_ip) || $host_ip == $split[1])
{
return false;
}
}
}
return true;
}
signature.asc
Description: OpenPGP digital signature
