David B Funk wrote:
I guess I didn't make my question clear enough;
How do you deal with mail from legit servers that are blocked by this
configuration?
(IE servers that for what ever reason will ONLY try the first mx, thus
failing to get past your fake MX.)
well, rfc mandates that they try at least 2 MX's. if they fail to try 2,
they can fail to try 1. Imagine you have a backup MX, and the primary is
down for 6 days...
Please note that I am not suggesting that the use of fake MXes is good.
I ask this because a few years ago I had a mail setup that produced
something functionally equivalent (first MX had a ipfilter that returned
a tcp-reset for a large IP block to force them to fall back to my
secondary MXs to reduce load on the first).
Some of our users complained about missing messages from a local city
government office. Turns out that their server (which was OK) was routing
thru an 'intelligent' firewall and the brain-damaged firewall was only
letting the mail send out to the first MX of the destination address.
The mail server people had a legit configuration, it was the hardware
deployed by their network people which was the cause of the problem
and they were not willing to turn off their firewall. Their attitude
was "it works for everybody else, so your system must be broken".
if you are forced to accept their mail, whitelist them. if you don't,
they may get trapped somewhere else and you'll have similar issues.
Maybe -you- can tell your customers "Tough, I won't let you get mail from
senders with broken configurations" but when one of our departmental
execs calls and says "I'm not getting mail from government office Y"
my saying "Tough" is -not- an option. ;(
If you can show the cost of modifying your config to accept mail from
the gov office, and your mgmt finds this ok, then there is no problem.
don't fight against your users/employers/...
I could (in my massive amounts of spare time) keep poking more holes
in the filter to pass message from brain-damaged systems, but just
finding them in the first place is a head-ache.
I always asked users before imposing any check. I generally explain the
consequences of the check (probability of blocking legitimate mail, ...
etc). if they want the "spam lovers" policy, they get it. if "hit the
delete button" is ok for them, I see no problem. I've then got many
people sick of spam asking to get moved to a stronger policy...
