Ignoring unqualified MX's ?
torben fjerdingstad
unitfj-bind at tfj.rnd.uni-c.dk
Wed Mar 22 13:18:42 UTC 2000
On Wed, Mar 22, 2000 at 01:43:27PM +0100, Ralf Hildebrandt wrote:
> On Wed, Mar 22, 2000 at 10:08:45AM +0100, torben fjerdingstad wrote:
>
> > Both places we use bind. I would like a bind solution, which
> > simply discards the bogus MX information.
> >
> > If it is not possible to make bind junk unqualified MX'es,
> > I would be happy with a patch (or an explation of why bind
> > must announce unqualified MX'es).
> >
> > I think I have pointed out a security problem in bind.
> > Am I wrong?
>
> Normally you wouldn't accept or relay mail for a domain you are MX for --
> just because it's in the DNS -- unless you specify
> FEATURE(relay_based_on_MX) (for sendmail).
Dunno. Personally I stick to qmail which must have that domain
the the rcpthosts file to accept the mail. I don't know what
options our customer has with his PMDF (I forget the exact
name) mailer.
> Nevertheless this can lead to a DOS, since bounces are sent locally, and
> since these cannot be delivered, you end up with double-bounces piling up in
> the mailbox.
Yes!
At least, it is nice to the network, because bounces don't get far :-(
> The solution would be to disallow "localhost" for MX records.
Not enough. How about unqualified hostnames like mail, www,
mailhost mailserver (anyserver) and so on.
funnydomain.net.
@ SOA ......
IN MX 10 localhost.
IN MX 20 mail.
IN MX 30 www.
IN MX 40 mailhost.
I think the best solution is to ignore unqualified-host MX'es.
That will also make some smtp's reject the spam early,
when the sender domain does not resolve.
--
Med venlig hilsen / Regards
Netdriftgruppen / Network Management Group
UNI-C
Tlf./Phone +45 35 87 89 41 Mail: UNI-C
Fax. +45 35 87 89 90 Bygning 304
E-mail: torben.fjerdingstad at uni-c.dk DK-2800 Lyngby
More information about the bind-users
mailing list