MX smerovany na nestabilnu IP (ADSL, dial)
Dan Lukes
dan at obluda.cz
Wed Oct 15 13:29:33 CEST 2003
Peter Mann wrote:
>>DOpis odmitnu i v
>>pripade, ze domena nelze permanentne zresolvit (neexistuje) nebo pokud
>>jmeno primarniho MX nelze (permanentne) zresolvit na IP. Docasne chyby
>>jsou, pochopitelne, duvodem k docasnemu odmitnuti.
>>
>> Je to asi deset radek ...
>
> poslite ich ;-)
Obavam se, ze se to zalame, take nutne tabulatory se mozna mohou zmenit
na mezery, nicmene, ten kdo se chce hramat do takovych veci je urcite
dostatecne na vysi aby se s takovymi drobnymi krivdami zivota vyrovnal.
Prezentovane radky "mxserver", ktery definuje FEATURE. Pokud by ve vasi
konfiguraci tato FEATURE nebyla, jeste musite do LOCAL_CONFIG pridat
definici tohohle.
A jeste drobnost - ja testuji i to, zda klient, ktery mi postu
beprostredne predava ma v poradku dopredne a zpetne DNS zaznamy.
Ponechal jsem to tady, komu to nevyhovuje jiste mu nebdue delat provlem
tech par radek umazat. Dalsi kod na nich nezavisi.
#++++++++++++++++++++++++++
LOCAL_CONFIG
KAresolve dns -RA -T<TEMP>
LOCAL_RULESETS
R$* $: < $&{deliveryMode} > $1
R< d > $* $@ deferred
R< $* > $* $: $2
# check client name: first: did it resolve?
R$* $: < $&{client_resolve} > <$1>
R<TEMP> $* $#TEMP $@ 4.7.1 $: "450 We do not accept mails
from you now. Cannot resolve PTR record for " $&{client_addr}
R<FORGED> $* $#error $@ 5.7.1 $: "550 We reject mails from
you. IP name possibly forged " $&{client_name}
R<FAIL> $* $#error $@ 5.7.1 $: "550 We reject mails from
you. IP name lookup failed for " $&{client_name}
R<$*> $* $: $2
R<> $@ <OK> we MUST accept <> (RFC 1123)
R$+ $: $>3 $1
canonicalize sender
R$* < @ $+ > $: < : $(mxserved $2 $) : > < $1 < @$2 >
> got MXs for sender's domain
R< : $* <TEMP> : > $* $#TEMP $@ 4.7.1 $: "450 Can not check MX
records for sender host " $1
R< : $+ : $* > < $+ > $: < : $1 : > < $3 >
extract first MX server
R< : $+ : > < $+ > $: < : $(Aresolve $1 $: <PERM> $) : > <
$1 > < $2 > obtain MX's IP address
R< : <TEMP> : > < $+ > $* $#TEMP $@ 4.7.1 $: "450 Can not check IP
for sender's best MX (" $1 ")"
R< : <PERM> : > < $+ > $* $#error $@ 5.5.4 $: "553 Sender's best
MX (" $1 ") has no IP"
R< : $+ : > < $+ > < $+ > $: $>A <$1> <OK> <+ MXFrom> <$1> <$2>
<$3> check against access database
R<$={Accept}> < $* > $@ <OK>
R<REJECT> < $+ > < $* > $#error $@ 5.5.4 $: "553 We do not
accept the mail because the FROM's best MX IP (" $1 ") is forbidde
n by system policy"
R<DISCARD> < $+ > < $* > $#discard $: "discarded: FROM's best MX
IP (" $1 ") is forbidden by system policy"
R<ERROR:$-.$-.$-:$+> <$*> $#error $@ $1.$2.$3 $: $4
R<ERROR:$+> <$*> $#error $: $1
R< $+ > < $+ > < $+ > < $+ > $: $4
#+++++++++++++++++++++++++++++++++++++++++++++++
Nerikam, ze je to bez chyby.
K uvedenym pravidlum se vztahuji tyto radky pridane do access:
MXFrom:0 REJECT
MXFrom:10 REJECT
MXFrom:127 REJECT
MXFrom:169.254 REJECT
MXFrom:172.16 REJECT
MXFrom:172.17 REJECT
MXFrom:172.18 REJECT
MXFrom:172.19 REJECT
MXFrom:172.20 REJECT
MXFrom:172.21 REJECT
MXFrom:172.22 REJECT
MXFrom:172.23 REJECT
MXFrom:172.24 REJECT
MXFrom:172.25 REJECT
MXFrom:172.26 REJECT
MXFrom:172.27 REJECT
MXFrom:172.28 REJECT
MXFrom:172.29 REJECT
MXFrom:172.30 REJECT
MXFrom:172.31 REJECT
MXFrom:192.168 REJECT
MXFrom:192.0.2 REJECT
MXFrom:198.18 REJECT
MXFrom:198.19 REJECT
MXFrom:224 REJECT
MXFrom:225 REJECT
MXFrom:226 REJECT
MXFrom:227 REJECT
MXFrom:228 REJECT
MXFrom:229 REJECT
MXFrom:230 REJECT
MXFrom:231 REJECT
MXFrom:232 REJECT
MXFrom:233 REJECT
MXFrom:234 REJECT
MXFrom:235 REJECT
MXFrom:236 REJECT
MXFrom:237 REJECT
MXFrom:238 REJECT
MXFrom:239 REJECT
MXFrom:240 REJECT
MXFrom:241 REJECT
MXFrom:242 REJECT
MXFrom:243 REJECT
MXFrom:244 REJECT
MXFrom:245 REJECT
MXFrom:246 REJECT
MXFrom:247 REJECT
MXFrom:248 REJECT
MXFrom:249 REJECT
MXFrom:250 REJECT
MXFrom:251 REJECT
MXFrom:252 REJECT
MXFrom:253 REJECT
MXFrom:254 REJECT
MXFrom:255 REJECT
# Verisign anti wildcard *.com *.net hack
MXFrom:64.94.110.11 REJECT
Vyse uvedena pravidla prinesla pri dvoumesicnim provozu na dvou sitich
snizeni akceptovane prichozi posty o 40% (radove 2000 dopisu za den)
pricemz odvracenou stranou bylo sest stiznosti na odmitnuti ne-spamu (ve
vsech sesti pripadech slo o chybu v DNS a problem se vyresil jejim
odstranenim na strane odesilatele). Sest stiznosti v porovnani se 120000
usetrenymi dopisy mi pripada prijatelny pomer.
Dalsim prijemnym side-efektem je vyrazne volnejsi odchozi fronta, drive
preplnena chybovymi hlasenimi pochazejicich ze SPAMu s neresolvitelnymi
nebo jinak nepouzitelnymi adresami odesilatelu.
Podotykam, ze jakakoliv predpokladana funkcnost (vcetne tech, o kterych
jsem explicitne psal, ze tam jsou) vyse uvedene konfigurace neni
garantovana a kazdy ji (pripadne) pouziva na vlastni nebezpecni.
Dan
More information about the net
mailing list