[conspire] (forw) [sorbs.net #212641] [Webform] SORBS registration systems sends RFC-ignorant mail

Ruben Safir ruben at mrbrklyn.com
Tue Oct 28 11:39:36 PDT 2008 

On Tue, 2008-10-28 at 10:47 -0700, Rick Moen wrote:
> Quoting Ruben Safir (ruben at mrbrklyn.com):
> 
> > I don't really need the RFC quote, but I just want to understand.  This
> > check for the deliverable mailing address can take place during the SMTP
> > handshake?  Or does a separate inquiry to the sending server need to
> > take place?
> 
> It's a separate SMTP connection (back) to an MX of the claimed sending
> domain.
> 
> So, if the incoming connection is claimed to be from
> ruben at mrbrooklyn.com, my MTA will first try to look up the relevant MX
> record (if any):
> 
> :r! dig -t mx mrbrooklyn.com +short
> [returns null]
> 
> SMTP's fallback, absent an explicit MX record, is to use the "A" record:
> 
> :r! dig mrbrooklyn.com +short
> 216.21.239.197
> 
> So, my SMTP host will then open a socket on that IP's port 25, do HELO, 
> and initiate a (partial) e-mail to "ruben at mrbrooklyn.com".  If that is 
> indicated as an acceptable addresssee ("250 Recipient OK" or something
> like that), then my MTA cancels the test message, caches the successful
> result, and permits your MTA's pending delivery on the connection the
> other way.
> 
> Note that my MTA's connection is not necessarily to "the sending
> server", just to one of the MXes (mail exchangers) for the claimed
> sending domain.
> 
> > Doesn't that require that the two machines, client and server, be
> > directly connected?  Because most mail I receive seems to be going
> > through levels of relays.  
> 
> Again, the callout (callback) check's network socket is not necessarily
> to the "server" as in the machine that is currently seeking to drop off
> mail:  It is to one of the authorised MXes of the claimed sending
> domain.  That MX should (must) know what's a valid address within its
> mail domain and what is not.
> 
> 

Thanks.  I completely understand now.  A user though still must have a
record on an authorized MX server.  So if one just sticks a GNU Server
on a verizon cunsmer grade FIOS  network and sends mail out without
having a record or account on the verizon network, they're
shot...nothing is getting through.  If they fix their  'From' line to an
official verizon email account, or have an mx record set up somewhere in
the world for their supposed sending domain, they are good to go.

Ruben
> _______________________________________________
> conspire mailing list
> conspire at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/conspire

More information about the conspire mailing list