RE: Final Words on "Educating RDNS violators" - Debunking the Myth's [?? Probable Spam]

[Derek Schaible <dschaible () cssiinc com>]

On Fri, 2004-09-03 at 15:36, LordInfidel wrote:
> Think about this though, if you are able to relay mail thru your ISP's
> SMTP server, which most ISPs allow you to do, then why run your own
> outbound SMTP server, that does not make sense

It makes a lot of sense. Doing so allows you to provide SMTP AUTH for
road warriors, gives you local control over spam/av filtering, many
reasons depending on your imagination.

> The answer is, while most ISPs will allow their customers to relay mail
> thru their servers, they will only allow mail from their (the isps)
> domain name space.
>
> Meaning, if you are hosting your own domain name or want to send from a
> domain other then your ISP's, you can't. Assuming I was an AOL
> customer, I can't send mail as directionweb.com thru AOl's smtp server.

SMTP Relaying is typically controlled by network address, not by name.
If I'm an ISP's customer, I am on their address space so typically I can
relay through their servers. This is the normal practice. I have never
heard of an ISP that didn't allow you to relay through their server if
you're on their network.

If ISP's prevented you from sending mail as another domain, reply-to's
and people with multiple accounts would break. Relaying is best
controlled by selecting the subnets you want to relay for and this is
how the vast majority of ISP's handle it. You local name matters not. I
can set my local name to whatever I want, but my IP address must be on
the correct subnet to function.

AOL is a different animal. Typically, I don't believe they provide any
SMTP servers for customers. You are supposed to use their sorry email
client. In fact, many of my users who use AOL at home suddenly lost the
ability to even connect to our SMTP servers through port 25. AOL started
blocking outbound traffic to port 25 for all but their SMTP servers. I
had to run qmail on an upper port and reconfigure their mail clients for
them to continue using our servers. 

Many other ISP's are following suit. Why? in an effort to prevent their
customers from sending spam. They stop you from reaching outside SMTP
servers through normal means, forcing the average joe to relay through
their network. This breaks even your own SMTP server. You must relay in
these instances. Since AOL did this, I've found 4 other ISP's that
followed suit just among the user-base of road warriors where I work.

> To give you an example, an smtp server (called homey) located in a pvt
> domain called bunk.local, can not advertise it's FQDN as
> homey.bunk.local to remote smtp servers.  This is because the root
> domain in this case, .local, is not a valid domain and can not be
> routed on the net.  homey has 2 options to send out mail, change it's
> advertised name in the HELO response it gives to other SMTP servers, or
> send a IP in place of a FQDN.

You missed an option: relay it to their ISP's server. The network
address should be in the relay table and mail will happily flow. The
name matters not if you're in the relay table. This is also how some
SMTP AUTH implementations work. You log into the SMTP service, it adds
your *address, not name* to the "Allowed Relay Clients" table for a
defined period of time. Many SMTP servers wont even allow you to enter
relay clients by name - they only accept addresses.

For instance, tcp.smtp in qmail looks like this:

127.0.0.:allow,RELAYCLIENT=""
141.123.123.23:allow,RELAYCLIENT=""
141.123.123.24:allow,RELAYCLIENT=""
141.123.123.66:allow,RELAYCLIENT=""
192.168.1.:allow,RELAYCLIENT=""
192.168.2.:allow,RELAYCLIENT=""
192.168.3.:allow,RELAYCLIENT=""

Entering names is not even valid. If your address matches an entry in
this table, you are sending mail regardless of DNS. All that's left is
to pass local spam filtering policies, etc. if any
exist.                               

> I hate to bring this up, but as a matter of semantics, there is no
> small r in RDNS; I had hoped that by correcting it in my posts that
> everyone else would catch on.

Look, we all know what *reverse* DNS is. That's why I conformed with the
rDNS precedent - rDNS is just easier to type. The lower case
distinguishes it from the proper acronym of DNS.

OK, enough with the semantics :-)

I do appreciate this debate, I truly hope the mods don't bit bucket us
as I think this is a healthy and pertinent discussion. I'm certainly not
going to argue against your points of other AV/Spam filtering. This is
all true. We need to keep in mind, however, that the outdatedness of the
RFCs is what brought us to this point in fighting spam. The RFCs were
written at a time when the 'net was friendly. They don't offer
suggestions for fixing SMTP which is ill-equipped to deal with the
current problem. This is why we are seeing the discussions of SPF or C/R
solutions. Arguably, these break the RFC's as well yet many shops depend
on them.

SMTP has issues today, and many of us are turning to new methods to deal
with it. I still maintain that if you expect to deliver mail to anyone
in the world today with confidence that it will be received you need to
make sure that your SMTP delivery to the outside world comes from a host
the has proper reverse DNS setup. It's not a matter of liking it or not.
If that means you must relay, then you must. It doesn't prevent you from
running your own SMTP server. You just need to add a hop.

OK, I can't promise I'm done with this thread obviously :-)

-- 
Derek Schaible <dschaible () cssiinc com>
CSSI, Inc.

Attachment: signature.asc
Description: This is a digitally signed message part