OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: reject_unknown_sender_domain flawed?
From: Wietse Venema (wietseporcupine.org)
Date: Sun Aug 13 2000 - 08:50:34 CDT

Rask Ingemann Lambertsen:
[Charset iso-8859-1 unsupported, filtering to ASCII...]
> Den 03-Jul-00 00:34:05 skrev Wietse Venema f_lgende om "Re: reject_unknown_sender_domain flawed?":
> >Rask Ingemann Lambertsen:
> >> Den 02-Jul-00 21:17:47 skrev Wietse Venema f_lgende om "Re:
> >> reject_unknown_sender_domain flawed?":
> >> >Rask Ingemann Lambertsen:
> >>
> >> [cut patch]
> >> >This seems wrong to me. If a DNS server is busted so that sender
> >> >MX lookup fails but sender A lookup succeeds, then Postfix should
> >> >not reject the mail as if the sender domain is unknown.
> >>
> >> >There is a reason why Postfix DNS lookups for receiving mail are
> >> >different from Postfix DNS lookups used for delivering mail. The
> >> >reason is that Postfix receives mail instead of delivering it.
> >>
> >> The whole purpose of having the reject_unknown_(sender|recipient)_domain
> >> checks is to only accept domains to which we can deliver mail, isn't it?
>
> >No. The purpose is to reject mail from domains THAT DO NOT EXIST.
>
> You're nitpicking.

If you really want 100% sender address validation, Postfix would
have to send mail to the address and somehow find out that the mail
actually arrived. 100% sender validation is not possible.

If a sender's DNS server is busted but there is clear evidence the
sender domain exists, I see no reason to REFUSE the mail just
because of some temporary sender-side configuration problem.

The purpose of the sender domain check is to reject obvious junk,
not to make recipients lose mail.

All the more reason to rip the UCE crap out of the smtpd and to
make the hooks available to an external scripted process so that
crusaders can do their thing without having to patch C code.

        Wietse