[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Asrg] MXs Used As Authentication - Why RMX?
On Mon, Aug 25, 2003 at 09:13:27AM +0100, Sabahattin Gucukoglu wrote
> Hi peeps,
>
> I've tried hard to work out a requirement for an additional DNS RR (RMX -
> Danisch Draft) for authentication, but can't understand why MXs alone
> can't be used. I must be missing something somewhere. Why can't you just
> resolve the given envelope sender domain, check all of the MXs hostnames
> and see if any of them matches your connecting machine's IP after
> resolution to addresses? The hostname could come either from the SMTP
> client greeting (helo/ehlo) or the sender domain, and MX resolution could
> be recursive (including checks to ensure no infinite recursion). Now, so
> long as all possible output relays for a domain are an MX, there's no
> problem, right? (Or is this not what happens in the real-world?)
Real world example... me. I got my own domain (waltdnes.org) while
changing ISPs. When I realised all the lists I'd have to unsubscribe
from (old address) and resubscribe to (new address) plus all the people
I'd have to notify, I decided to make sure this would be the last time.
The only real guarantee of a "lifetime address" is one's own personal
domain. So here's my situation...
- I live in Toronto, Ontario
- my "connectivity ISP" is IStop.com.
- My email is generally sent from IStop.com's MTA.
- IStop is owned by Ralph Doncaster; actually it's a subsidiary of
DCI (Doncaster Consulting Inc)
- Here's a "dig" on istop.com
; <<>> DiG 9.2.1 <<>> @dci.doncaster.on.ca istop.com any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14615
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 2, ADDITIONAL: 3
;; QUESTION SECTION:
;istop.com. IN ANY
;; ANSWER SECTION:
istop.com. 86400 IN NS dci.doncaster.on.ca.
istop.com. 86400 IN NS ns.istop.com.
istop.com. 86400 IN A 66.11.168.194
istop.com. 86400 IN SOA ns.doncaster.on.ca. root.doncaster.on.ca. 2003082201 14400 720 604800 86400
istop.com. 86400 IN MX 10 mail.istop.com.
;; AUTHORITY SECTION:
istop.com. 86400 IN NS dci.doncaster.on.ca.
istop.com. 86400 IN NS ns.istop.com.
;; ADDITIONAL SECTION:
dci.doncaster.on.ca. 864 IN A 66.11.168.194
ns.istop.com. 86400 IN A 66.11.168.199
mail.istop.com. 86400 IN A 66.11.168.199
- I usually send my email via smtp.istop.com, but that's not the
primary name of that IP address
[waltdnes@m450 waltdnes]$ host smtp.istop.com
smtp.istop.com has address 66.11.168.194
[waltdnes@m450 waltdnes]$ host 66.11.168.194
194.168.11.66.in-addr.arpa domain name pointer dci.doncaster.on.ca.
- Here's sample headers that the list sees coming from me...
Received: from dci.doncaster.on.ca ([66.11.168.194] helo=smtp.istop.com)
by ietf-mx with esmtp (Exim 4.12)
id 19ordy-0002mx-00
for asrg@ietf.org; Mon, 18 Aug 2003 17:34:26 -0400
Received: from waltdnes.org (ip123-165.tor.istop.com [66.11.165.123])
by smtp.istop.com (Postfix) with SMTP id D473A36974
for <asrg@ietf.org>; Mon, 18 Aug 2003 17:34:20 -0400 (EDT)
Received: by waltdnes.org (sSMTP sendmail emulation); Mon, 18 Aug 2003 17:34:19 -0400
The "fun" doesn't end here. My personal domain is registered via
DomainDirect.com. The default MX is in the waltdnes.org domain, but
it's just an alias for a cp.net (Critical Path) MTA, which then
re-directs to the ISP of my choosing. I'm allowed to edit my zone file
(everything except SOA). When South Korea started pounding on me with
multiple Korean-language spams per day, I got annoyed enough to pay for
another account that allows me to personally control DNSbls, etc, and
reject during the SMTP transaction (just after RCPT:). Clss.net allows
me to point my MX record at them. It has to be done that way for DNSbls
to work. So here's the data on my domain...
; <<>> DiG 9.2.1 <<>> @ns1.domaindirect.com waltdnes.org any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26521
;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 3, ADDITIONAL: 4
;; QUESTION SECTION:
;waltdnes.org. IN ANY
;; ANSWER SECTION:
waltdnes.org. 3600 IN MX 10 manson.clss.net.
waltdnes.org. 3600 IN A 216.40.33.117
waltdnes.org. 3600 IN NS ns1.domaindirect.com.
waltdnes.org. 3600 IN NS ns2.domaindirect.com.
waltdnes.org. 3600 IN NS ns3.domaindirect.com.
waltdnes.org. 3600 IN SOA ns1.domaindirect.com. hostmaster.domaindirect.com. 2084608802 10800 3600 2592000 86400
;; AUTHORITY SECTION:
waltdnes.org. 3600 IN NS ns1.domaindirect.com.
waltdnes.org. 3600 IN NS ns2.domaindirect.com.
waltdnes.org. 3600 IN NS ns3.domaindirect.com.
;; ADDITIONAL SECTION:
manson.clss.net. 148675 IN A 65.211.158.2
ns1.domaindirect.com. 527 IN A 216.40.33.21
ns2.domaindirect.com. 111264 IN A 216.40.33.22
ns3.domaindirect.com. 268 IN A 216.40.33.24
To summarize, here's a real life example...
- mail sent from dci.doncaster.on.ca, HELOing as "smtp.istop.com", both
names have the same IP address
- my MX record is currently manson.clss.net
How would your system handle it ?
--
Walter Dnes <waltdnes@waltdnes.org>
Email users are divided into two classes;
1) Those who have effective spam-blocking
2) Those who wish they did
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg