On Fri, February 13, 2015 11:04 am, Les Mikesell wrote:> On Fri, Feb 13, 2015 at 9:57 AM, Ken Smith <kens at kensnet.org> wrote: >> Hi All, >> >> I'm just wanting to check that my understanding of the settings is >> correct >> as my web searches are finding a lot of dated information. >> >> If I want a Centos 6 sendmail system act as the secondary MX for domain >> bbbbb.co.uk do I just add a >> >> Connect:bbbbb.co.uk RELAY >> >> statement into /etc/mail/access and restart sendmail >> >> Obviously I have the DNS MX records for the domain are already >> established. >> >> I've been getting "/config error/: /mail loops back to me/ " errors. >> >> I think I may be stumbling into a variant of cname problem where the >> hostname as far as the sendmail machine is concerned is aaaaa.com but >> the >> DNS setting for the secondary MX is smtp1.bbbbb.co.uk. >> >> They both resolve to the same IP but when sendmail looks up the MX >> records >> for bbbbb.co.uk it will find smtp.bbbbb.co.uk and smtp1.bbbbb.co.uk >> listed >> and it may relay the mail off to smtp1.bbbbb.co.uk without recognising >> that >> aaaaa.com = smtp1.bbbbb.co.uk. Am I on the right track here, as I then >> just >> need to change the secondary MX setting in DNS to aaaaa.com? > > I'd recommend not having a secondary MX at all unless it is equipped > to reject invalid users and spam in all the same ways as your primary.Agree, but...> Otherwise it accept junk that your primary rejectsNot exactly. If greylisting on primary is set, but on backup MX is not, still what is killed by greylisting by primary MX, almost never will come through backup MX. This is due to the same reason why greylisting is efficient: it trows off all that doesn't behave as mail server (thus never comes for re-delivery, and definitely doesn't try backup MX which real servers always do even before attempt of re-delivery). Still, it is good to have the same greylisting on backup MX. And all other blows and whistles.> and then you are > obligated to send a bounce message which is always a bad thing - you > want the authoritative receiver to reject at the smtp level instead of > accepting at all.I agree, it is wrongful behavior to accept something which later you discover you can not deliver. I would call it bad MX setup, as you are making yourself potential source of backscatter (which though is not as much exploited yet as open relays, but still is bad setup). If you set backup MX based on postfix, there is relay_recipients you have to specify, which lists all e-mail addresses that are legitimate on primary MX. Nothing else is being accepted by default, thus secondary MX does not become a source of backscatter. <rant> I've seen at least at some point that google mail accepts everything. Then, (after they parsed and filed information in that message I would speculate) they send non-delivery notification. That was a real incident after which I have a policy on my servers: I do not forward e-mail of users who left department to their google mail. As I don't want _my_ server to become a source of backscatter as a result of the crap they do. </rant> Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Fri, Feb 13, 2015 at 11:39 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> >> Otherwise it accept junk that your primary rejects > > Not exactly. If greylisting on primary is set, but on backup MX is not, > still what is killed by greylisting by primary MX, almost never will come > through backup MX. This is due to the same reason why greylisting is > efficient: it trows off all that doesn't behave as mail server (thus never > comes for re-delivery, and definitely doesn't try backup MX which real > servers always do even before attempt of re-delivery).I'm not convinced. Spam is big business and trying a 2nd MX is cheap.> Still, it is good > to have the same greylisting on backup MX. And all other blows and > whistles.Greylisting would be kind of hard to do right. You'd have to keep the known-good senders in sync across the receivers. But my bigger worry would be a dictionary-type attack on user names as recipients if you don't have access to the real user list on the secondary. Aside from the blowback of the bounces, if you've ever accepted an address it is likely to get on lists of known-good spam and cause extra traffic forever after. -- Les Mikesell lesmikesell at gmail.com
Les Mikesell wrote:> On Fri, Feb 13, 2015 at 11:39 AM, Valeri Galtsev > <galtsev at kicp.uchicago.edu> wrote: >>> Otherwise it accept junk that your primary rejects >> Not exactly. If greylisting on primary is set, but on backup MX is not, >> still what is killed by greylisting by primary MX, almost never will come >> through backup MX. This is due to the same reason why greylisting is >> efficient: it trows off all that doesn't behave as mail server (thus never >> comes for re-delivery, and definitely doesn't try backup MX which real >> servers always do even before attempt of re-delivery). > I'm not convinced. Spam is big business and trying a 2nd MX is cheap. > >> Still, it is good >> to have the same greylisting on backup MX. And all other blows and >> whistles. > Greylisting would be kind of hard to do right. You'd have to keep the > known-good senders in sync across the receivers. But my bigger worry > would be a dictionary-type attack on user names as recipients if you > don't have access to the real user list on the secondary. Aside from > the blowback of the bounces, if you've ever accepted an address it is > likely to get on lists of known-good spam and cause extra traffic > forever after. >In this case the secondary MX has the same RBL's etc etc as the primary. I do see the spammers sending their junk to the secondary more than the primary MX. Agree the secondary does not know the difference between valid and invalid addresses. Thoughts on my configuration?? I might just change the DNS name in the secondary MX anyway. Ken -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
On Fri, February 13, 2015 11:52 am, Les Mikesell wrote:> On Fri, Feb 13, 2015 at 11:39 AM, Valeri Galtsev > <galtsev at kicp.uchicago.edu> wrote: >> >>> Otherwise it accept junk that your primary rejects >> >> Not exactly. If greylisting on primary is set, but on backup MX is not, >> still what is killed by greylisting by primary MX, almost never will >> come >> through backup MX. This is due to the same reason why greylisting is >> efficient: it trows off all that doesn't behave as mail server (thus >> never >> comes for re-delivery, and definitely doesn't try backup MX which real >> servers always do even before attempt of re-delivery). > > I'm not convinced. Spam is big business and trying a 2nd MX is cheap.I stated pure observation on at least two pairs of primary - backup MX I maintain. Still I made backup MXes with greylisting as well (they are separately hit by same bad spammers scripts, at a rate about 10 times smaller than primary MXes are and absolutely independently).> >> Still, it is good >> to have the same greylisting on backup MX. And all other blows and >> whistles. > > Greylisting would be kind of hard to do right. You'd have to keep the > known-good senders in sync across the receivers. But my bigger worry > would be a dictionary-type attack on user names as recipients if you > don't have access to the real user list on the secondary.With standard backup MX based on postix (with rather trivial configuration) you always do have list of legitimate recipients of primary MX on the secondary MX. Sorry if my previous e-mail is not explicit enough about it. It's a work, however, to maintain that table on backup MX (so your backup MX does accept mail for newly added users to primary MX). But having backup MX receiving everything is wrong configuration prone to backscatter - at least I see we agree on that. So, just don't roll out badly configured backup MX, I would say. Valeri> Aside from > the blowback of the bounces, if you've ever accepted an address it is > likely to get on lists of known-good spam and cause extra traffic > forever after. > > -- > Les Mikesell > lesmikesell at gmail.com > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Fri, 2015-02-13 at 11:39 -0600, Valeri Galtsev wrote:> I've seen at least at some point that google mail accepts everything.That is because Google is primarily a USA government sponsored intelligence gathering operation. It wants as much information as possible. Google's commercial activities were never originally planned. They are an unexpected, and very lucrative, bonus. -- Regards, Paul. England, EU. Je suis Charlie.