On Mon, 27 Aug 2007, Marc Perkel wrote:
> David B Funk wrote:
> > On Mon, 27 Aug 2007, Marc Perkel wrote:
> >
> >> There aren't any false positives. That's what is so great about this trick.
> >>
> >
> > I guess I didn't make my question clear enough;
> > How do you deal with mail from legit servers that are blocked by this
> > configuration?
> > (IE servers that for what ever reason will ONLY try the first mx, thus
> > failing to get past your fake MX.)
[snip..]
> >
> > I could (in my massive amounts of spare time) keep poking more holes
> > in the filter to pass message from brain-damaged systems, but just
> > finding them in the first place is a head-ache.
> >
>
> I've not run into a single instance where a legit server only tried the
> lowest MX. However, if I did there's a simple solution. If the fake
> lowest MX points to an IP on the same server as the working MX then you
> can use iptables to block port 25 on all IP addresses EXCEPT for the one
> broken server. That would fix the problem.
So in reality your "There aren't any false positives" is actually
"I've not run into a single instance"
So either you have not yet run into the kind of buzz-saw that I hit
or those that you've blocked have not been able to contact you. ;)
Lucky for you and maybe your customers.
Yes, as I said "I could keep poking more holes ..." -BUT-
it was a pain to figure out exactly what was going on and it is
a time waster (lots of finger-pointing, etc).
So much for your "all you need to do... and you're done" anti-spam
solution.
--
Dave Funk University of Iowa
<dbfunk (at) engineering.uiowa.edu> College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{
