On Mon, Oct 04, 2021 at 02:35:28PM +0200, Kristian wrote:
> $ dig +short mx traffordplazauk.com
> 10 64.27.25.41.
>
> I guess my first question is, what is considered the proper behaviour
> for mail from such domains?
There is no specification that tells you what to do with mail from
unroutable sender addresses, and furthermore, whether this address is or
is not unroutable rather depends on how forgiving the sender MTA is
willing to be. For example, Postfix accepts such hostnames with a
warning:
$ posttls-finger 'lacksoft.se'
posttls-finger: warning: numeric domain name in resource data of MX record
for lacksoft.se: 195.162.24.110
posttls-finger: Connected to 195.162.24.110[195.162.24.110]:25
posttls-finger: < 220 adamlesiak.kylos.net.pl ESMTP Postfix
as a probe via 'sendmail -bv' also confirms:
<postmas...@lacksoft.se>: delivery via 195.162.24.110[195.162.24.110]:25:
host
195.162.24.110[195.162.24.110] said: 550 5.1.1 <postmas...@lacksoft.se>:
Recipient address rejected: User unknown in virtual mailbox table (in
reply
to RCPT TO command)
The IP addresses for the domain are:
lacksoft.se. IN A 194.9.94.86 ; NoError AD=1
lacksoft.se. IN A 194.9.94.85 ; NoError AD=1
so the connection was definitely to the MX "host".
> Should it be rejected or accepted?
Your network, your rules... :-(
> In either case, I would want my MX and backend server to agree.
Well, some of the backend domains might want to accept email from such
senders, and some might want to reject it. What then?
The best solution is to ask the operator of the backend Exim server to
whitelist your relay:
* If you don't filter abuse to their satisfaction, they should find
another relay.
* If they're unwilling to abide by your filtering policy, you should
find another customer.
> I'm leaning towards rejecting it, which leads to me second question. I
> haven't been able to find any way to tell postfix to reject it.
Generically rejecting address-string-valued MX records is not something
you can do with built-in Postfix facilities. You'd need a policy
service to do that MX lookup and accept or reject the envelope sender
domain, but I don't recommend this.
Instead just accept the mail, and either tolerate the bounces, convince
the Exim operator to not reject traffic from the backup MX, or ask them
to find a different backup MX.
> * postscreen - doesn't look like there is any way of doing such a check
> here.
> * reject_unknown_sender_domain doesn't actually perform any dns lookups,
> and it seems to consider .41 a valid TLD.
No it considers the address a tolerated deviation from the spec. In my
dataset of 31,559,743 DNSSEC-signed MX records there are 3,952 with an
IPv4 address in the exchange field instead of a hostname.
Which is only one in 10,000 MX records, but it is perhaps not
representative, consisting just of DNSSEC-signed domains.
You have to look through your logs, run DNS queries for all the distinct
sender domains taken from a sufficiently long date range, and decide
whether rejecting domains with IPv4-valued MX hostnames is a feature or
a bug.
> What's the right way to deal with this?
Do nothing, or convince the customer to not filter your traffic.
--
Viktor.
