On 6/14/2008, Jean-Pierre van Melis (jp@...) wrote:
> I don’t think it’s clear to you how I have setup ASSP in some
Actually, after reading your message, I think the confusion is because
you are using ASSP in a very, very BADLY designed configuration.
> When ASSP is used in the normal way there is no problem. ASSP is
> proxying for a domain which has all the domains and users.
> No problem there. Not even the need to have LDAP.
> The MTA refuses the mail from unknown domains and no NDR’s are sent
> (non-delivery reports)
You are confusing BACKSCATTER (Accept then Bounce) with legitimate NDRs
(which are generated by the ORIGINATING MTA when it gets the REJECT
Legitimate NDRs are A GOOD THING. You seem to think they are not.
The only thing ASSP does is accept or reject a message. It never, ever
generates an email by itself, whether legitimate NDR or Accept-then-bounce).
> I also have a setup with ASSP and Sendmail behind it.
> Although Sendmail knows all the domains it should be relaying for, it
> doesn’t know any users.
Thats bad, and should NEVER be used in a production environment. If
there is no choice, then you must make absolutely certain that any
messages that ASSP accepts that later have delivery problems are NEVER
BOUNCED - that is the definition of backscatter.
> It has a mailertable and accepts all mail for all domain it’s
> relaying for and sends it to the appropriate mailserver.
Why don't you simply configure sendmail to use the VRFY command itself
and proxy the recipient validation, just like we are talking about doing
> Those mailservers only listens to Sendmail and are foreign. We want
> to give the admins of these mailservers instructions that are as simple as
> We could instruct them to grant VRFY commands. Not a problem because
> that MTA isn’t listening to the world anyhow.
All systems that are not configured to accept all incoming connections -
meaning, they are configured to only accept connections from one or a
limited number of IP addresses - should ALWAYS be configured to
REJECT_UNAUTH_DESTINATION BEFORE the limitation is applied, as a
PRECAUTION, in case you typo something - keeps you from becoming an open
> If ASSP gets a mail for a certain user on a certain domain it could
> check the enduser-MTA with a VRFY-command and if it gets an explicit
> fail from that MTA, it should not accept the mail. Now there’s no need
> to send an NDR, because the message is not accepted. More importantly….
> less backscatter.
NDRs are NOT BACKSCATTER. You are definitely confused.
> A VRFY from a foreign MTA should of course not be passed to the
> enduser-MTA as it would honour it with a legitimate answer.
If ASSP is the gatekeeper, then the enduser MTA should ONLY accept
connections from ASSP.
You are way overcomplicating this.
> For all this to work, ASSP needs to have the same info which I have in
> the mailertable (/etc/mail/mailertable)
> It would be nice if it’s the same syntax so a cronjob could keep
> those 2 files in sync.
Thats what this whole thread is trying to avoid... using the VRFY
command solves this problem.
> There’s also another possibility….
> The Sendmail behind the proxy could be configured to accept “based on
Accepting mail without performing recipient validation is STUPID. Don't
> Some ISP’s block those ports even. If ASSP could use the same
> mechanism as sendmail is using and send a VRFY to mail.acme.com, it
> could refuse the mail at “the gate” and not let it get in between
> mail.provider.com and mail.acme.com
Any system that does NOT 'refuse the mail at the gate' for invalid
recipients should NEVER, EVER bounce a message later - that is the
definition of backscatter.
> The enduser doesn’t have to do a lot to implement it
> · Create a 2nd MX-record mail.provider.com · Block port 25 for the
> world except mail.provider.com (this can be done by the ISP)
> · Optionally honour VRFY-requests to prevent non-local mail from
> getting past ASSP
> You could have everything “configured in DNS”.
> When VRFY-requests aren’t honoured it should accept all the mail.
If it does, then it should NEVER BOUNCE a message later if it has
But NO normal production system should EVER be configured this way. If
the main server is down, the sending MTA will simply queue the message
and retry later.
> This setup is working great...
Maybe for you... but I prefer that if someone wants to send our CEO and
email accepting a multi-million dollar contract, but typos the address,
that they get an NDR letting them know that their message was not delivered.