[TAG] A couple of questions regarding Mail policy

Rick Moen rick at linuxmafia.com
Wed Jun 23 00:18:52 MSD 2004 

Quoting Kapil Hari Paranjape (kapil at imsc.res.in):

> We have two mail exchangers outside our firewall. These forward mail to
> the LAN through the firewall. They also accept mail from the LAN to
> forward to the big bad world out there. They do not do *any* local
> delivery.
> 
> 1. AFAIK it is not necessary to have an actual machine corresponding to
> the domain the mail originates from. In other words there does not
> *need* to be an address (A) record for imsc.res.in in order for the e-mail
> address kapil at imsc.res.in to send and receive mail. It is enough that
> there be mail exchanger (MX) records. Is this correct?

Quoting RFC2181:

  10.3. MX and NS records

   The domain name used as the value of a NS resource record, or part of
   the value of a MX resource record must not be an alias.  Not only is
   the specification clear on this point, but using an alias in either
   of these positions neither works as well as might be hoped, nor well
   fulfills the ambition that may have led to this approach.  This
   domain name must have as its value one or more address records.
   Currently those will be A records, however in the future other record
   types giving addressing information may be acceptable.  It can also
   have other RRs, but never a CNAME RR.

   Searching for either NS or MX records causes "additional section
   processing" in which address records associated with the value of the
   record sought are appended to the answer.  This helps avoid needless
   extra queries that are easily anticipated when the first was made.

   Additional section processing does not include CNAME records, let
   alone the address records that may be associated with the canonical
   name derived from the alias.  Thus, if an alias is used as the value
   of an NS or MX record, no address will be returned with the NS or MX
   value.  This can cause extra queries, and extra network burden, on
   every query.  It is trivial for the DNS administrator to avoid this
   by resolving the alias and placing the canonical name directly in the
   affected record just once when it is updated or installed.  In some
   particular hard cases the lack of the additional section address
   records in the results of a NS lookup can cause the request to fail.

So, yes, every MX must have a valid "A" reference record.  (Note that
this doesn't mean there must be, in your words, "an actual machine".)

> 2. We have a number of users who insist on their need to keep ".forward"
> files. Now, it is possible (likely) that a spammer sends them mail which
> then gets forwarded to a host that tags it as spam. Any *reasonable*
> spam filtering and tagging mechanism should not then tag *our* host as a
> source of spam or a relay for spam. But could this happen? Is it likely
> to happen given the policy of various RBL's and the like?

No.  (This doesn't preclude the possibility of someone implementing
irrational policies at an RBL.  Speaking generally, that's happened 
before.  Not only can any featherless biped establish one, but the
danger of perspective loss seems ever-present in this topic.)
 
Existence of static .forward files from one host to another doesn't make
your host a "spam host", by any rational measure.

> 3. Given the above configuration what is a feasible mechanism to
> implement rcpt-time verification of the recipient? Is this possible
> without upgrading to exim4?

Would you mind re-posting this question, making the nature of what
you're trying to accomplish more specific?  I'm unclear on what you're
asking.

-- 
Cheers,             "I used to be on the border of insanity.  However, due 
Rick Moen           to pressing political concerns, I recently had to invade."
rick at linuxmafia.com                        -- Kurt Montandon, in r.a.sf.w.r-j

More information about the TAG mailing list