Date: Wed, 23 Jul 1997 15:36:08 -0400 (EDT) From: Drew Derbyshire <ahd@kew.com> To: current@freebsd.org Subject: (over)zealous mail bouncing Message-ID: <199707231936.PAA20690@pandora.hh.kew.com>
next in thread | raw e-mail | index | archive | help
> > well.. i have the same problem... we fix the from in the actual header,
> > but there isn't anything we can really do with sendmail unless we really
> > want to become "spammers"...
SPAMming is sending unsolicited junk mail; configuring your mail
to have a valid reply address which gets errors back to you in a
reasonable fashion is merely good system admin. Lying like hell
in order to be a good system admin is being a _creative_ system
admin. :-)
> > also, he gets a dynamic ip address from
> > efn.. meaning that he has to change his hostname, and then restart
> > sendmail for it to become valid...
The sender address does not have to match any known IP address;
for it to be a valid address, there need only be a valid MX record.
Consider, for example, kew.com (my humble e-mail home) and
sonata.uucp.kew.com (my NT UUCP only box); each only have MX records,
both are valid sender addresses.
If the remote doing the bouncing is checking IP addresses, he better
stop -- I can easily send legitmate mail for which the originating
IP address will not exist in DNS by the time he can check.
> Yes, but the envelope sender is wrong. Mail servers are perfectly
> justified in refusing mail with an envelope sender containing a non
> existant domain.
This correct, but the safest method is to perform a transient
rejection (4xx series reply, not 5xx) to allow for true name server
problems. This is important, since for example about two weeks
ago DNS "lost" freebsd.org, and last Thursday the NIC trashed most
of the root servers on the net. In the first incident (running a
hard bounce response), I lost at least one FreeBSD digest, but in
the second incident (having returned to using transient bounces)
mail was merely delayed.
For a truly bogus domain, you can either let the mail timeout or add
it to your banned domain list for faster flushing.
> > well... there is one problem... efn.org is over a 14.4k modem, to my
> > 28.8k modem, that happens to be dialed into efn's terminal server, but
> > goes over to a local university which we use for inet connectivity...
> > so connecting to that host would go over the above, then back from the
> > university to efn.org... plus, we run FreeBSD on our systems.. so it
> > is possible, but problematic... considering that he can also dial
> > directly into efn it would mean needing to have two completely differnt
> > configurations...
>
> Huh? What does this have to do with e-mail addresses? The connectivity
> is irrelevant. It also has nothing to do with dynamic addresses. Use
> "-f" flag to sendmail to force the proper envelope sender.
The standard mail user agents do not present this flag, and sendmail
must be told which users are to be trusted to use it. This makes
it a poor choice for a production system.
For reasonably sized site, a better method is to explicitly define
the canonical host name of each unique dial-in host (use the
confDOMAIN_NAME macro) and provide valid MX records for each one.
You could, in a pinch, use a wild-carded sub-domain (*.dymanic.efn.org)
to cut down on the number of records, but according to the sendmail.org
experts, wildcard records should be avoided if possible.
You can also tell sendmail to masquerade the envelope as well, this is
does cut down on the audit trail slightly and so I personally try to
avoid it.
--
Drew Derbyshire Internet: ahd@kew.com
Kendra Electronic Wonderworks Telephone: 617-279-9812
"I remember being a sophomore; it was the best three years of my life."
- "Animal House"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199707231936.PAA20690>