SUMMARY: Forcing incoming mails to go through MX site from Martin Mokrejs on 1998-03-23 (tru64-unix-managers)

From: Martin Mokrejs <mmokrejs_at_mail.natur.cuni.cz>
Date: Sun, 22 Mar 1998 16:46:30 +0100 (MET)

Hello,
I'd like to summarize all mails I got. The problem is solved right now.
It seems that we knew the solution, but did not belive that it works. ;-)
We wanted to protect all our servers, including all Linuxes etc. we don't
know about (and for which do not have admin. rights), against relay and
spam. Just by forcing all incoming mails sent to anyhost.domain to go
first to MX server (be checked) and possibly passed to recipient host.

Thanks to all who replied, specially Claus Assmann.

----
Barry Margolin <barmar_at_bbnplanet.com>
 The normal way to deliver mail is to check for an MX record first. If
there are any MX records, the mail will be delivered to one of the mail
exchangers instead of the host itself.  If it times out trying to send to
the first MX record it will then try the second MX record, and so on; it
will never go to the host itself (unless one of the MX records points to
the host).
----
Mail sent ot user_at_host.domain.com will NOT match entry like:
domain.com.		IN	MX	10 mxsite.domain.com.
You have to create:
host.domain.com.	IN	MX	10 mxsite.domain.com.
----
Claus Assmann <ca_at_informatik.uni-kiel.de> also suggested to block all
incoming SMTP connections on router to OTHER hosts then mxsite and
it's backups (which you can protect against spam and relay). This will
block clients which do not follow fully RFC's (974 ?). Such clients could
theoretically ignore MX records for destination and connect directly to
host instead of it's MX. Under these settings, the servers can just talk
fine with each other in the local net.
----
Another configuration could be to protect server1 against direct SMTP
connections from the world(as above), but give attackers a chance to
connect to it directly if you don't have backups for mxserver.domin.com.
server1.domain.com.	MX	10	server1.domain.com.
server1.domain.com.	MX      1       mxsite.domain.com.
----
On MX server running sendmail-8.8 be sure to have in sendmail.cf:
# if we are the best MX host for a site, try it directly instead of config err
O TryNullMXList=True
Thanks also to Ken Lam <klam_at_awod.com>.
Martin
-------------------------------------------------------------------------
| Martin MOKREJS - Net&SysAdmin                                         |
| PGP 5.0i key at: finger://mail.natur.cuni.cz/mmokrejs                 |
| mmokrejs_at_natur.cuni.cz   Faculty of Science, The Charles University   |
| tel.: +420-2-2195 2315   Albertov 6, PRAGUE 2, 128 43, Czech Republic |
-------------------------------------------------------------------------

Received on Sun Mar 22 1998 - 16:46:41 NZST

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:37 NZDT