From: Jean-Pierre v. M. <jp...@mi...> - 2008-06-14 13:28:47
|
Thomas, I don’t think it’s clear to you how I have setup ASSP in some configs. When ASSP is used in the normal way there is no problem. ASSP is proxying for a domain which has all the domains and users. No problem there. Not even the need to have LDAP. The MTA refuses the mail from unknown domains and no NDR’s are sent (non-delivery reports) I also have a setup with ASSP and Sendmail behind it. Although Sendmail knows all the domains it should be relaying for, it doesn’t know any users. It has a mailertable and accepts all mail for all domain it’s relaying for and sends it to the appropriate mailserver. Those mailservers only listens to Sendmail and are foreign. We want to give the admins of these mailservers instructions that are as simple as possible. We could instruct them to grant VRFY commands. Not a problem because that MTA isn’t listening to the world anyhow. If ASSP gets a mail for a certain user on a certain domain it could check the enduser-MTA with a VRFY-command and if it gets an explicit fail from that MTA, it should not accept the mail. Now there’s no need to send an NDR, because the message is not accepted. More importantly…. less backscatter. A VRFY from a foreign MTA should of course not be passed to the enduser-MTA as it would honour it with a legitimate answer. For all thisto work, ASSP needs to have the same info which I have in the mailertable (/etc/mail/mailertable) It would be nice if it’s the same syntax so a cronjob could keep those 2 files in sync. There’s also another possibility…. The Sendmail behind the proxy could be configured to accept “based on mx”. This means that mail for all domains is accepted as long as the recipients domain’s MX points to Sendmail. That domain has a 2nd MX-record, but that points to the enduser-MTA. That MTA can only accept mail from Sendmail. Some big ISP’s have this system working, but without the VRFY option. These ISP’s relay all mail to their clients and they generate a lot of backscatter….. So a mail comes in for pe...@ac.... acme.com has 2 MX-records mail.acme.com priority 10 mail.provider.com priority 50 Sendmail is running on mail.provider.com and it is accepting mail for acme.com because its own domain (mail.provider.com) is in the MX-records of acme.com. This is a normal fallback-setup with sendmail. No mail is accepted by mail.acme.com because it has port 25 closed for the world. Not for mail.provider.com. Some ISP’s block those ports even. If ASSP could use the same mechanism as sendmail is using and send a VRFY to mail.acme.com, it could refuse the mail at “the gate” and not let it get in between mail.provider.com and mail.acme.com. The enduser doesn’t have to do a lot to implement it · Create a 2nd MX-record mail.provider.com · Block port 25 for the world except mail.provider.com (this can be done by the ISP) · Optionally honour VRFY-requests to prevent non-local mail from getting past ASSP You could have everything “configured in DNS”. When VRFY-requests aren’t honoured it should accept all the mail. This setup is working great... Van: ass...@li... [mailto:ass...@li...] Namens Thomas Eckardt/eck Verzonden: zaterdag 14 juni 2008 9:58 Aan: ASSP development mailing list Onderwerp: [Assp-test] Antwort: Re: Verifying recipients >If this gets implemented it would be nice if the MTA that gets the VRFY could be different than the MTA for which it is proxying... The simple way: - there is a MTA behind ASSP, with all recipient informations : so let the MTA do the work (the recipient verification - also VRFY) - set (ASSP)- MaxError to 3, to prevent dictionary harvesting - thats all The other way: - there is a MTA behind ASSP, without any recipient information : at this time you need a flatfile or LDAP - or - checking the recipient with VRFY on an other MTA than we are proxying, will cause to following: C1: connect S1: 220 domain ready to do work C2: helo S2: 250 OK C3: mailfrom:<...> S3:250 OK C4:rcpt to:<...> - this command we have to capture - now we have to open a new SMTP-connection to the VRFY-MTA, and we have to do the same like above with him (C1 to S3) VC1......VS3 VC4 VRFY <...> VS4 550/250 VC4 QUIT - we have to do the QUIT, because we do not know what the next client (C5:) request would be (rcpt to or DATA or any other) VS5 421 closing channel - depending on the answer VS4: we are now sending the captured C4:rcpt to:<...> to our real MTA - or we are sending S4: 550 - to the client - the next client request could be 'DATA' or an other 'RCPT TO' - which results in the same procedure like above to verify the recipient There is nothing wrong to do it this way(it's only hard to code), but there are a lot of unanswered questions: what to do if: - the VRFY-MTA is unreachable - the VRFY-MTA is slow an we are running in to timeouts on the primary connection - the connection to the VRFY-MTA is broken in the middle ..... - to handle all possible exceptions is the real problem to do it this way I do not see a way to implement such a VRFY - but maybe Fritz has another opinion! >Yes, but LDAP is not trivial to set up. Setting up LDAP is much more trivial as setting up ASSP ! >This is something I need to prevent backscatter.... We are working on a solution to prevent backscatter - based on MessageID tracking - but this will take some time! Thomas Jean-Pierre van Melis <jp...@mi...> Gesendet von: ass...@li... 13.06.2008 13:57 Bitte antworten an ASSP development mailing list <ass...@li...> An'ASSP development mailing list' <ass...@li...> Kopie ThemaRe: [Assp-test] Verifying recipients If this gets implemented it would be nice if the MTA that gets the VRFY could be different than the MTA for which it is proxying... I'm thinking of a domaintable with the IP of the proxy (like the mailertable of Sendmail) In such a setup you can have Sendmail behind ASSP and let ASSP verify the user on the MTA which it has in the mailertable. Otherwise Sendmail has to accept all mail for each domain it is relaying for. Because Sendmail has the mailertable already, can sendmail do this already? This is something I need to prevent backscatter.... Because ASSP is doing a good job, the backscatter is minimal, but still.... Some setups I have working: ASSP (accepting for specific domains) ====> Sendmail (relaying all mail using a mailertable) ===> MTA's without MX-records Another Setup is also nice: ASSP (accepting all domains) ===> Sendmail with Relay based on MX ===> MTA's with itself as high priority MX and ASSP low priority and port 25 blocked for the world except ASSP. ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It's the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php _______________________________________________ Assp-test mailing list Ass...@li... https://lists.sourceforge.net/lists/listinfo/assp-test DISCLAIMER: ******************************************************* This email and any files transmitted with it may be confidential, legally privileged and protected in law and are intended solely for the use of the individual to whom it is addressed. This email was multiple times scanned for viruses. There should be no known virus in this email! |