OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Incessant Bounces
From: Brad Knowles (blkskynet.be)
Date: Tue Aug 22 2000 - 13:01:01 CDT

At 10:34 AM -0700 2000/8/22, Ronald F. Guilmette wrote:

> Before I go on, first let me say that I do feel very strongly that it is
> very much the Right Thing To Do to reject mail (for some value of `reject')
> if the domain name specified in the MAIL FROM is not one which ``exists''
> in the sense of being a valid e-mail destination itself.

        Sigh....

        We've hashed this issue out in very great detail in the past,
both on this list and elsewhere. Please see the archives for details
before you resurrect this long-since fossilized predecessor to modern
equines.

        In summary, I've had very in-depth discussions with both Eric
Allman and Wietse, and we've all come to the same conclusions --
there are just too many bizarre ways for resolver libraries and
nameservers to fail in spectacularly untraceable and unreproduceable
ways, sometimes authortiatively answering NXDOMAIN when they
shouldn't, sometimes failing when they theoretically can't, etc....

        The one and *ONLY* safe way you can handle this situation is to
return a temporary failure in all cases where you cannot positively
confirm that the domain does actually exist.

        Now, that said, postfix *does* give you the option of returning a
permanent 5xx series error code in cases where it gets an NXDOMAIN
from the resolver libraries. If you really, really want that badly
to blow your foot off with that anti-matter bomb, then postfix does
give you the necessary tools to do that.

        But please, *please*, *PLEASE* do not ask that this sort of
abomination be turned on by default in any commonly used MTA.

        I've been in situations where I saw hundreds of thousands of
e-mail messages bounce in the space of a relatively few minutes,
because the nameservers on our side were screwed up, and there was
simply no good justification for what happened as a result.

        I would not wish the Nuclear Winter fallout of events like that
on my worst enemy (I don't need to mention any names, do I? ;-). 

--
   These are my opinions -- not to be taken as official Skynet policy
======================================================================
Brad Knowles, <blkskynet.be>                || Belgacom Skynet SA/NV
Systems Architect, Mail/News/FTP/Proxy Admin || Rue Colonel Bourg, 124
Phone/Fax: +32-2-706.13.11/12.49             || B-1140 Brussels
http://www.skynet.be                         || Belgium

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.