Security Basics mailing list archives
RE: Final Words on "Educating RDNS violators" - Debunking the Myth's [?? Probable Spam]
From: Derek Schaible <dschaible () cssiinc com>
Date: Fri, 03 Sep 2004 18:26:31 -0400
On Fri, 2004-09-03 at 15:36, LordInfidel wrote:
Think about this though, if you are able to relay mail thru your ISP's SMTP server, which most ISPs allow you to do, then why run your own outbound SMTP server, that does not make sense
It makes a lot of sense. Doing so allows you to provide SMTP AUTH for road warriors, gives you local control over spam/av filtering, many reasons depending on your imagination.
The answer is, while most ISPs will allow their customers to relay mail thru their servers, they will only allow mail from their (the isps) domain name space. Meaning, if you are hosting your own domain name or want to send from a domain other then your ISP's, you can't. Assuming I was an AOL customer, I can't send mail as directionweb.com thru AOl's smtp server.
SMTP Relaying is typically controlled by network address, not by name. If I'm an ISP's customer, I am on their address space so typically I can relay through their servers. This is the normal practice. I have never heard of an ISP that didn't allow you to relay through their server if you're on their network. If ISP's prevented you from sending mail as another domain, reply-to's and people with multiple accounts would break. Relaying is best controlled by selecting the subnets you want to relay for and this is how the vast majority of ISP's handle it. You local name matters not. I can set my local name to whatever I want, but my IP address must be on the correct subnet to function. AOL is a different animal. Typically, I don't believe they provide any SMTP servers for customers. You are supposed to use their sorry email client. In fact, many of my users who use AOL at home suddenly lost the ability to even connect to our SMTP servers through port 25. AOL started blocking outbound traffic to port 25 for all but their SMTP servers. I had to run qmail on an upper port and reconfigure their mail clients for them to continue using our servers. Many other ISP's are following suit. Why? in an effort to prevent their customers from sending spam. They stop you from reaching outside SMTP servers through normal means, forcing the average joe to relay through their network. This breaks even your own SMTP server. You must relay in these instances. Since AOL did this, I've found 4 other ISP's that followed suit just among the user-base of road warriors where I work.
To give you an example, an smtp server (called homey) located in a pvt domain called bunk.local, can not advertise it's FQDN as homey.bunk.local to remote smtp servers. This is because the root domain in this case, .local, is not a valid domain and can not be routed on the net. homey has 2 options to send out mail, change it's advertised name in the HELO response it gives to other SMTP servers, or send a IP in place of a FQDN.
You missed an option: relay it to their ISP's server. The network address should be in the relay table and mail will happily flow. The name matters not if you're in the relay table. This is also how some SMTP AUTH implementations work. You log into the SMTP service, it adds your *address, not name* to the "Allowed Relay Clients" table for a defined period of time. Many SMTP servers wont even allow you to enter relay clients by name - they only accept addresses. For instance, tcp.smtp in qmail looks like this: 127.0.0.:allow,RELAYCLIENT="" 141.123.123.23:allow,RELAYCLIENT="" 141.123.123.24:allow,RELAYCLIENT="" 141.123.123.66:allow,RELAYCLIENT="" 192.168.1.:allow,RELAYCLIENT="" 192.168.2.:allow,RELAYCLIENT="" 192.168.3.:allow,RELAYCLIENT="" Entering names is not even valid. If your address matches an entry in this table, you are sending mail regardless of DNS. All that's left is to pass local spam filtering policies, etc. if any exist.
I hate to bring this up, but as a matter of semantics, there is no small r in RDNS; I had hoped that by correcting it in my posts that everyone else would catch on.
Look, we all know what *reverse* DNS is. That's why I conformed with the rDNS precedent - rDNS is just easier to type. The lower case distinguishes it from the proper acronym of DNS. OK, enough with the semantics :-) I do appreciate this debate, I truly hope the mods don't bit bucket us as I think this is a healthy and pertinent discussion. I'm certainly not going to argue against your points of other AV/Spam filtering. This is all true. We need to keep in mind, however, that the outdatedness of the RFCs is what brought us to this point in fighting spam. The RFCs were written at a time when the 'net was friendly. They don't offer suggestions for fixing SMTP which is ill-equipped to deal with the current problem. This is why we are seeing the discussions of SPF or C/R solutions. Arguably, these break the RFC's as well yet many shops depend on them. SMTP has issues today, and many of us are turning to new methods to deal with it. I still maintain that if you expect to deliver mail to anyone in the world today with confidence that it will be received you need to make sure that your SMTP delivery to the outside world comes from a host the has proper reverse DNS setup. It's not a matter of liking it or not. If that means you must relay, then you must. It doesn't prevent you from running your own SMTP server. You just need to add a hop. OK, I can't promise I'm done with this thread obviously :-) -- Derek Schaible <dschaible () cssiinc com> CSSI, Inc.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Final Words on "Educating RDNS violators" - Debunking the Myth's LordInfidel (Sep 02)
- Re: Final Words on "Educating RDNS violators" - Debunking the Myth's Derek Schaible (Sep 07)
- Re: Final Words on "Educating RDNS violators" - Debunking the Myth's Derek Schaible (Sep 08)
- <Possible follow-ups>
- RE: Final Words on "Educating RDNS violators" - Debunking the Myth's LordInfidel (Sep 08)
- RE: Final Words on "Educating RDNS violators" - Debunking the Myth's [?? Probable Spam] Derek Schaible (Sep 08)
- RE: Final Words on "Educating RDNS violators" - Debunking the Myth's David Gillett (Sep 10)
- Re: Final Words on "Educating RDNS violators" - Debunking the Myth's Gabriel Orozco (Sep 13)