[TAG] A couple of questions regarding Mail policy
rick at linuxmafia.com
Wed Jun 23 00:18:52 MSD 2004
Quoting Kapil Hari Paranjape (kapil at imsc.res.in):
> We have two mail exchangers outside our firewall. These forward mail to
> the LAN through the firewall. They also accept mail from the LAN to
> forward to the big bad world out there. They do not do *any* local
> 1. AFAIK it is not necessary to have an actual machine corresponding to
> the domain the mail originates from. In other words there does not
> *need* to be an address (A) record for imsc.res.in in order for the e-mail
> address kapil at imsc.res.in to send and receive mail. It is enough that
> there be mail exchanger (MX) records. Is this correct?
10.3. MX and NS records
The domain name used as the value of a NS resource record, or part of
the value of a MX resource record must not be an alias. Not only is
the specification clear on this point, but using an alias in either
of these positions neither works as well as might be hoped, nor well
fulfills the ambition that may have led to this approach. This
domain name must have as its value one or more address records.
Currently those will be A records, however in the future other record
types giving addressing information may be acceptable. It can also
have other RRs, but never a CNAME RR.
Searching for either NS or MX records causes "additional section
processing" in which address records associated with the value of the
record sought are appended to the answer. This helps avoid needless
extra queries that are easily anticipated when the first was made.
Additional section processing does not include CNAME records, let
alone the address records that may be associated with the canonical
name derived from the alias. Thus, if an alias is used as the value
of an NS or MX record, no address will be returned with the NS or MX
value. This can cause extra queries, and extra network burden, on
every query. It is trivial for the DNS administrator to avoid this
by resolving the alias and placing the canonical name directly in the
affected record just once when it is updated or installed. In some
particular hard cases the lack of the additional section address
records in the results of a NS lookup can cause the request to fail.
So, yes, every MX must have a valid "A" reference record. (Note that
this doesn't mean there must be, in your words, "an actual machine".)
> 2. We have a number of users who insist on their need to keep ".forward"
> files. Now, it is possible (likely) that a spammer sends them mail which
> then gets forwarded to a host that tags it as spam. Any *reasonable*
> spam filtering and tagging mechanism should not then tag *our* host as a
> source of spam or a relay for spam. But could this happen? Is it likely
> to happen given the policy of various RBL's and the like?
No. (This doesn't preclude the possibility of someone implementing
irrational policies at an RBL. Speaking generally, that's happened
before. Not only can any featherless biped establish one, but the
danger of perspective loss seems ever-present in this topic.)
Existence of static .forward files from one host to another doesn't make
your host a "spam host", by any rational measure.
> 3. Given the above configuration what is a feasible mechanism to
> implement rcpt-time verification of the recipient? Is this possible
> without upgrading to exim4?
Would you mind re-posting this question, making the nature of what
you're trying to accomplish more specific? I'm unclear on what you're
Cheers, "I used to be on the border of insanity. However, due
Rick Moen to pressing political concerns, I recently had to invade."
rick at linuxmafia.com -- Kurt Montandon, in r.a.sf.w.r-j
More information about the TAG