Kai Schaetzl wrote:
Duane Hill wrote on Sat, 25 Aug 2007 22:29:50 +0000 (UTC):
What happens if the remote MX is within a private IP range? Should I
accept that message, knowing fully, the recipient would never be able to
respond?
This feature looks fine on first glance, but on second I think this is
dangerous if it gets applied to all MX positions. For instance the two MX
setup where one machine is behind a firewall and a gateway machine is first
MX and forwards to the machine behind the firewall. This is an accepted
setup. Couldn't I achieve the same thing without a firewall? The first MX
gets another IP from a private range and the second is on private only. So,
it's not reachable from outside, but the first MX can forward to it.
- There is no need for MX in local networks. most MTAs support explicit
transport/routing configurations.
- you can still use multiple DNS servers (or views)
- you can exclude your own domains from whatever check you want
Allowing an outsider to access one of your private boxes he was not
supposed to access is generally considered a hole. consider this:
- one of your users is running an smtp server on his box, IP=10.1.2.3
- an outsider buys a domain, and sets his MX to 10.1.2.3
- he sends you mail using that domain in the sender address
- for some reason, the mail gets a reply (real reply by luser, out of
quota/disk, system error, vacation, MUA confirmation ... whatever). your
MTA will send the reply to 10.1.2.3
so the outsider has managed to reach the smtp server on 10.1.2.3. That
smtp server may be an unprotected/unpatched/misconfigured
exchange/whatever, a trojan, ...
Yes, you can track all internal smtp servers, all MUAs that send
confirmations/..., all auto-responders, ... all traojans, ... but why
would you accept mail from an unkown domain claiming to have an MX that
is unreachable from the public network?
More generally, except under known circumstances, there is no reason to
accept mail with a sender address that is unreachable. If they don't
wanna be reached, they should use the empty address (<>).
Here is a domain used as sender in a recent spam:
$ host -t mx yheweathernetwork.com
yheweathernetwork.com mail is handled by 0 *.mx.*.
"backup MXs (that don't exist)" doesn't mean a private range. You simply
set it to an IP that doesn't have SMTP or one that points to nirvana, but
still a valid public IP address.
This is not what I call a "bogus MX". but this may still be detected
after some time (well, it will be detected that you have an MX that did
not work over a long period of time). not sure whether spammers will
list these and avoid them.
You may want to randomly "ignore" clients (send a TCP RST to be nice to
legitimate MTAs). But if you use a real MTA, you should also "whitelist"
known good clients.
I don't use that technique and don't think I will need to use it in the
near future, but I can't see anything bad in it, sorry. As John says only
spammers or broken MTAs should have a problem with that.
I also agree on SAV with John, it's almost as worse as challenge-response
mechanisms.
Kai
