[milters] Archive

Lists Index Date Thread Search

Article: 532
From: Anthony Howe
Date: 2005-05-02 04:08:13 -0400
Subject: Re: new feature request

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support
--------------------------------------------------------

Taylor, Grant wrote:
>> Our server (LOCALMX) is mx for our own dialup clients and a few
>> other networks. Dialup clients are whitelisted in access.db because
>> they are local. Let's say a dialup client (MISTERX) sends an email
>> through our server to a server outside our netwerk (EXTERNMX). This
>>  EXTERNMX has a mailfilter like milter-sender installed. EXTERNMX's
>> milter-sender will now try to connect to LOCALMX in order to check
>> if MISTERX exists on LOCALMX. However LOCALMX rejects the recipient
>> adres saying "Greylisting activated". Which causes EXTERNMX's
>> milter-sender to give an error, and mail is stalled in the
>> send-queue.
> 
> 
> When "...EXTERNMX's milter-sender will now try to connect to LOCALMX
> in order to check if MISTERX exists on LOCALMX..." what email address
> is EXTERNMX using in the "MAIL FROM:" command?  As I understand it
> milter-sender uses the null return path email address of "<>" which
> is to be accepted by ALL MXs to be RFC compliant.  I don't know if

Correct.

> milter-gris is possibly handling this improperly, if the server that
> is doing the call back (EXTERNMX) to LOCALMX is attempting to send
> with an email address other than null reverse path, or if something
> else is messing with things.  I'd say that it's time to either turn
> up logging or start a traffic dump to look at thge SMTP conversation.

In milter-gris, treating the null address <> specially was not 
warranted. Some spammers use MAIL FROM:<> to send spam or for address 
harvesting. milter-gris grey lists everything, espcially if you use MAIL 
as part of the grey list key. Grey listing the null address is not 
wrong, since real DSN messages will be queued and arrive a little later 
instead of sooner. However it will affect call-back schemes like 
milter-sender and cause some delays, which are also not wrong, just less 
efficient.

Based on this I've just added a new option, -n, to not grey list the 
null address.

However, auto white listing just the RCPT as a future sender of a reply 
would certainly be a worth while enhancement, but in the case of 
call-backs its problematic. You would have to auto white list the IPs of 
all the MXes of each RCPT domain in the off chance that they perform a 
call-back.

Now consider the following example:

	MAIL FROM:<localuser@localmx.com>
	RCPT TO:<user@aol.com>

Assume that AOL used call-backs (will never happen as a call-back 
probably doesn't scale to AOL's size). They use 4 MX entries and 
multihome each MX. See dig output below. Thats at least another DNS 
lookup and 18 machines to white list just for one RCPT. If your 
localuser sends to several people at once (consider an MLM), then your 
doing a lot of extra work to white list the remote MX.

White listing MX machines by domain name doesn't work either, because 
too many machines do not correctly specify a reverse DNS entry, so you 
need work with the IP address.

What you really want to do here, is white list the null address from SPF 
machines. BUT lots of spammers use SPF records, so this would be no 
better than the new -n option.

root@mx# dig aol.com mx

; <<>> DiG 9.2.3 <<>> aol.com mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3889
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 18

;; QUESTION SECTION:
;aol.com.                       IN      MX

;; ANSWER SECTION:
aol.com.                3600    IN      MX      15 mailin-03.mx.aol.com.
aol.com.                3600    IN      MX      15 mailin-04.mx.aol.com.
aol.com.                3600    IN      MX      15 mailin-01.mx.aol.com.
aol.com.                3600    IN      MX      15 mailin-02.mx.aol.com.

;; AUTHORITY SECTION:
aol.com.                3600    IN      NS      dns-01.ns.aol.com.
aol.com.                3600    IN      NS      dns-02.ns.aol.com.
aol.com.                3600    IN      NS      dns-06.ns.aol.com.
aol.com.                3600    IN      NS      dns-07.ns.aol.com.

;; ADDITIONAL SECTION:
mailin-01.mx.aol.com.   300     IN      A       205.188.159.57
mailin-01.mx.aol.com.   300     IN      A       64.12.137.89
mailin-01.mx.aol.com.   300     IN      A       64.12.138.57
mailin-01.mx.aol.com.   300     IN      A       205.188.155.89
mailin-01.mx.aol.com.   300     IN      A       205.188.156.185
mailin-02.mx.aol.com.   300     IN      A       64.12.138.89
mailin-02.mx.aol.com.   300     IN      A       205.188.156.249
mailin-02.mx.aol.com.   300     IN      A       205.188.159.217
mailin-02.mx.aol.com.   300     IN      A       64.12.137.121
mailin-03.mx.aol.com.   300     IN      A       64.12.138.120
mailin-03.mx.aol.com.   300     IN      A       205.188.158.121
mailin-03.mx.aol.com.   300     IN      A       64.12.137.152
mailin-03.mx.aol.com.   300     IN      A       64.12.137.249
mailin-04.mx.aol.com.   300     IN      A       64.12.138.185
mailin-04.mx.aol.com.   300     IN      A       205.188.157.25
mailin-04.mx.aol.com.   300     IN      A       64.12.137.184
mailin-04.mx.aol.com.   300     IN      A       64.12.138.152
dns-01.ns.aol.com.      3600    IN      A       152.163.159.232

;; Query time: 112 msec
;; SERVER: 193.41.72.72#53(193.41.72.72)
;; WHEN: Mon May  2 09:52:18 2005
;; MSG SIZE  rcvd: 507




-- 
Anthony C Howe                                 +33 6 11 89 73 78
http://www.snert.com/       ICQ:
7116561         AIM: Sir Wumpus

"held in my arms / his sun washed face / eyes closed" - Anthony

Lists Index Date Thread Search