unwise filtering policy from cox.net
rsk at gsp.org
Wed Nov 21 15:04:24 UTC 2007
On Wed, Nov 21, 2007 at 06:51:42AM +0000, Paul Ferguson wrote:
> Sure, it's an "unfortunate limitation", but I hardly think it's
> an issue to hand-wave about and say "oh, well".
There are numerous techniques available for addressing this problem.
Which one(s) to use depends on the site's mail architecture, so I'm
not going to try to enumerate them all -- only to give a few examples.
Example 1: exempt [email protected] address from all anti-* processing; just deliver
it. All the MTA's I've worked with provide features to support this;
it's also sometimes necessary to make that exemption elsewhere (e.g.,
in programs called invoked as milters). Oh, and don't greylist it either.
Example 2: if using a multi-tier architecture (increasingly a good
idea, as it insulates internal traffic from the beating often inflicted
by external traffic) then re-route [email protected] mail to its own dedicated system
(using a mechanism like the sendmail virtual user table or equivalent).
Make that system something relatively impervious, and choose hardware
that can be replaced quickly at low cost. (My suggestion: OpenBSD
on a Sparc Ultra 2, and use mutt as the mail client. Keep a couple
of spares in the basement, they're dirt-cheap.)
More information about the NANOG