Greg: get it right.

Jay R. Ashworth jra at scfn.thpl.lib.fl.us
Tue Jul 22 14:03:56 UTC 1997


Apologies to the list; this will be the final posting you see on this
topic.  Greg: the system is valid, verifiable, and has an A record.  If
that's not good enough for you, sign off now.

-----Forwarded message from Mail Delivery Subsystem <MAILER-DAEMON>-----

On Mon, Jul 21, 1997 at 07:06:58PM -0400, Greg A. Woods wrote:
> > get a real mailer.
> Oh oh!  Trouble down there in Florida making you cranky Jay?  ;-)

Nope.

People who don't read the RFC's.  :-)

> Thanks for your voicemail message -- sorry I couldn't answer directly as
> I've been keeping the line open to a customer who's brand new T1 is down
> and out and there's lots of finger pointing going on....

I'm hip.

> FYI here's the log entry may mailer records when this sort of thing
> happens (this example from your most recent attempt):

Yeah, this time, as noted, I got the reply myself.

> 07/21/1997 17:37:16: remote MAIL FROM: '<jra at scfn.thpl.lib.fl.us>SIZE=3395' target 'scfn.thpl.lib.fl.us' is not a valid domain (no MX record); by jra at scfn.thpl.lib.fl.us [204.198.80.3].
> 
> The '<jra at scfn.thpl.lib.fl.us>SIZE=3395' is exactly what was sent by
> "your" mailer as the parameter for the "MAIL FROM" SMTP command, and the
> reason for the rejection is because the target 'scfn.thpl.lib.fl.us'
> doesn't have an MX.  ("jra at scfn.thpl.lib.fl.us [204.198.80.3]" is the
> results of the PTR lookup and an IDENT query.)
> 
> And nope, I'm not going to change this -- I'm doing it on purpose!  ;-)
> (and I know full well what I am doing in this case since I wrote the
> code to do it this way and the requirements I set out to fulfill have
> been met!  ;-)

Except that you forgot that an MX record isn't necessary.  An A record
works nicely... and there _IS_ one of those.

> Yes this is draconian, but it helps immensely at rejecting spam and it
> rarely rejects any legitimate mail (except from sticks-in-the-mud like
> the folks at PSU.EDU who don't seem to have ever heard of MX records and
> folks such as yourself who haven't yet run across this).  I receive
> hundreds of messages per day, and others using similar mail
> authorisation rules receive thousands or even tens of thousands of
> messages per day.  This form of authorisation is spreading to more and
> more mailers too -- I understand that even sendmail can do it, and from
> what I've heard aol.com has enabled such rules and Brad Knowles himself
> advocates enforcing such checks.  To quote a tiny portion of private
> e-mail that he sent to me just before he decided to cut off all
> discussion with me (I'm now privileged to be in his >/dev/null list! ;-):

Don't misunderstand me; I salute your intent.  Just do it _correctly_.
:-)

And note that you shouldn't validate the sender address until you have a
recipient address.  Mail addressed solely to "postmaster" has to be
deliverable anyway, or you violate RFC 822.

> He wasn't talking explicitly about requiring a valid MX for the sender
> address, but I think you'll see the direction he seemed to be going in.

Certainly; he was talking about verifying the existence of the sender.
MX records are optional, and therefore inspire false negatives of this
sort.

> > > Your DNS is rather sparse of MX records.  You might want to add at least
> > > the following as well:
> > > 
> > > 	thpl.LIB.fl.us.         MX      1 scfn.thpl.lib.fl.us.
> > > 	scfn.thpl.LIB.fl.us.    MX      1 scfn.thpl.lib.fl.us.
> > > 
> > > Either that or use a return address of <jra at ns1.thpl.lib.fl.us>
> > > (i.e. the "MAIL FROM:" address given in the SMTP envelope).
> > 
> > The return address you should have had was "jra at baylink.com".
> > baylink.com MX's to scfn.thpl.lib.fl.us, which is an A record.
> 
> Yes, that would have worked A-OK, but perhaps you're thinking of the
> RFC-822 "Reply-To" address whereas I'm talking about the SMTP envelope
> sender address.

If you got an envelope address of ns1, then we have a mail routing
problem on outbounds of which I wasn't aware.

> Hopefully we can get this sorted out amicably -- I can't bend on my rule
> to require an MX for sender addresses, but I may think about adding an
> exception list to allow friends to break the rules (until they see clear
> to fixing their DNS! ;-).

Unless you can come up with a valid explanation why simply an A record
isn't enough, I think you'll have to bend your rule to avoid violating
the RFCs.

Cheers,
-- jra
-- 
Jay R. Ashworth                                                jra at baylink.com
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "People propose, science studies, technology
Tampa Bay, Florida          conforms."  -- Dr. Don Norman      +1 813 790 7592

--JAA28200.869579680/scfn.thpl.lib.fl.us--


-----End of forwarded message-----

-- 
Jay R. Ashworth                                                jra at baylink.com
Member of the Technical Staff             Unsolicited Commercial Emailers Sued
The Suncoast Freenet      "People propose, science studies, technology
Tampa Bay, Florida          conforms."  -- Dr. Don Norman      +1 813 790 7592



More information about the NANOG mailing list