1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<META NAME="generator" CONTENT="lgazmail v1.1G.e">
<TITLE>The Answer Guy 36:
Secondary MX Records: How and Why
</TITLE>
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
LINK="#3366FF" VLINK="#A000A0">
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<H4>"The Linux Gazette...<I>making Linux just a little more fun!</I>"</H4>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<center>
<H1><A NAME="answer">
<img src="../../gx/dennis/qbubble.gif" alt="(?)" border="0" align="middle">
<font color="#B03060">The Answer Guy</font>
<img src="../../gx/dennis/bbubble.gif" alt="(!)" border="0" align="middle">
</A></H1>
<BR>
<H4>By James T. Dennis,
<a href="mailto:answerguy@ssc.com">answerguy@ssc.com</a><BR>
Starshine Technical Services,
<A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
</H4>
</center>
<p><hr><p>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<!-- begin 80 -->
<H3 align="left"><img src="../../gx/dennis/qbubble.gif" height="50" width="60"
alt="(?) " border="0">
Secondary MX Records: How and Why
</H3>
<p><strong>From Craig Capodilupo on Thu, 24 Dec 1998
</strong></p>
<!-- ::
Secondary MX Records: How and Why
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
:: -->
<BLOCKQUOTE>
</BLOCKQUOTE>
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
Some domains have multiple MX records. Sometimes the MX record of lower
preference, say 20, is an off-site domain. Does this off-site server
have to be configured to hold mail until the primary exchanger is back
online?
</STRONG></P>
<P><STRONG>
I am going to use my UNIX server as a secondary mail exchanger but I am
not sure if it has to be configured.
</STRONG></P>
<P><STRONG>
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" alt="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
In the good old days there was no special tricks to
providing secondary MX for your friends. They would just
add you mail server to their DNS records, listing you as a
"less preferred" mail exchanger (an MX record with a higher
value than any of yours). Mail would be relayed
automatically.
</BLOCKQUOTE>
<BLOCKQUOTE>
This was in the days of "promiscuous mail relaying" --- it
was easier to just let anyone relay mail though anyone else.
However, just as venereal disease contributed to the demise
of the "free love" promiscuity of the '60's --- the blight
of spam as spelled the end of open e-mail relaying in our
decade.
</BLOCKQUOTE>
<BLOCKQUOTE>
The problem was that spammers would dump their e-mail on any
open relay --- one piece of mail that might be addressed to
thousands of happless recipients (and with the return
addresses forged on top of that).
</BLOCKQUOTE>
<BLOCKQUOTE>
When you install '<tt>sendmail</tt>' version 8.9.x and later the open
relay to which early versions defaulted are now closed.
You'll have to create a relay map (default location in
<TT>/etc/mail/relay-domains)</TT> to enable relaying for your
sites).
</BLOCKQUOTE>
<BLOCKQUOTE>
There are some questions that relate to this in the
'<tt>sendmail</tt>' FAQ at:
</BLOCKQUOTE>
<BLOCKQUOTE> <BLOCKQUOTE> <CODE>
<A HREF="http://www.sendmail.org/faq/section3.html"
>http://www.sendmail.org/faq/section3.html</A>#3.27
</CODE> </BLOCKQUOTE> </BLOCKQUOTE>
<BLOCKQUOTE>
... although you could disable this feature and allow
promiscuous relaying --- I'd not suggest this.
</BLOCKQUOTE>
<BLOCKQUOTE>
You'd eventually get hit by a spammer and then you'll
probably end up on Paul Vixie's "Real-time blackhole list"
(the RPL) or on "DorkSlayer's" ORBS (open relay blocking
system). There are many sites these days that subscribe to
these free DNS lookup services in their "check_relay" macros
--- and deny any mail access whatsoever from any site listed
on one or either of these.
</BLOCKQUOTE>
<BLOCKQUOTE>
However, that should be all there is to it. Normally your
mail would just get tossed into the queue at your MX
secondary's site where it will languish until your site is
back up (or less busy, or whatever). In other words whatever
connectivity problem the original sender's site had in
getting to your primary MX host will probably go away within
a few hours --- and your secondary MX will relay your mail
during its normal queue runs. The orginal sender will get
delay notifications (4 hours, 4 days, etc) according to the
settings in your secondary's configuration files.
</BLOCKQUOTE>
<BLOCKQUOTE>
Some people use these features in their firewall
configuration --- they place a higher MX host outside their
main network (on the exposed network segment) --- and all
outside mail has to hit it first (since they can never
connect to the preferred hosts inside due to the packet
filters). The packet filters then allow that exposed host
(and only that exposed host) to transfer files into the
domain. Thus the potential attacker can't attempt to
directly exploit bugs in the internal SMTP daemon
(especially if the "exposed" host is behind an anti-spoofing
screen, and has "source routing" disabled, which all Linux
systems default to).
</BLOCKQUOTE>
<BLOCKQUOTE>
A more elegant approach is to use "split DNS" --- so that
the external/exposed MX host appears (to the outside world)
to be the preferred mail destination while the real
preferred system (to your internal systems, and to your
exposed host itself) is sequestered on your internal network
using non-routable "private net" addresses. The advantage
to this is that your potential attackers don't have any
information about your internal structure --- and they can't
route packets to your internal hosts at all (those don't
have "real" IP addresses). Thus the outside attacker has to
resort to high wizardry to get packets to your hosts, before
any exploits can even be attempted.
</BLOCKQUOTE>
<BLOCKQUOTE>
(I should note that any attacks that can be carried through
the mail <EM>contents</EM> will still get delivered to you. The
bugs this protects you from are those in the TCP connection
handling of the daemons --- not in the parsing of headers
and message contents).
</BLOCKQUOTE>
<BLOCKQUOTE>
I've heard of some sites that maintain separate queues for
their relay neighbors. I don't know exactly how that works
--- but its similar to the way that ISP's maintain queues
for their SMTP customers. Basically they create a
rule (probably an entry in their mailertable) that calls
the relay mailer with an extra parameter. Thus all the
queue items end up in special, separate directories.
Then the SMTP ETRN command can be used (by customers) to
force a queue delivery (something like:
'<tt>sendmail -q -O QueueDirectory=/var/spool/mqueue.customerX</tt>')
when the customer's connection comes up.
</BLOCKQUOTE>
<BLOCKQUOTE>
Then there are sites that deliver all mail to a given site
into a single mail spool (mbox) file. Hopefully they are
adding the "<tt>X-envelope-To:</tt>" headers as they do this. Then
their clients use '<tt>fetchmail</tt>' to grab these messages, split
them back out and dispatch them according to the delivery
policies at the disconnected site.
</BLOCKQUOTE>
<BLOCKQUOTE>
Personally I still prefer UUCP for handling mail to
disconnected sites. However, it is getting increasingly
difficult for new users to find people who understand UUCP.
(Oddly one study showed that the use of UUCP hasn't
decreased at all -- it's grown at a slow, steady couple of
percent all along. However, compared to the explosive
growth of the Internet it as seemed, by comparison to
completely disappeared. I think UUCP is still a <EM>very</EM> good
option for emerging countries and for anyone that isn't
maintaining dedicated connections to the Internet --- though
I'd say that a bit of work should be done on simple
configuration tools and examples. It's easy enough to use
UUCP as a transport for DNS/Internet "domain" style
addresses. So we don't need to ever return to the bad old
days of "bang paths").
</BLOCKQUOTE>
<P><STRONG><IMG SRC="../../gx/dennis/qbub.gif" ALT="(?)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
TIA,
<br>Craig
</STRONG></P>
<!-- sig -->
<!-- end 80 -->
<!--startcut ======================================================= -->
<P> <hr> <P>
<H5 align="center"><a href="http://www.linuxgazette.com/ssc.copying.html"
>Copyright ©</a> 1999, James T. Dennis
<BR>Published in <I>The Linux Gazette</I> Issue 36 January 1999</H5>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<P align="center">
<table width="98%"><tr valign="center" align="center">
<td rowspan="3" colspan="6"><A HREF="../lg_answer36.html"><IMG
SRC="../../gx/dennis/answernew.gif"
ALT="[ Answer Guy Index ]"></A></td>
<TD><A HREF="./a.html">a</A></TD>
<TD><A HREF="./b.html">b</A></TD>
<TD><A HREF="./c.html">c</A></TD>
<TD><A HREF="./1.html">1</A></TD>
<TD><A HREF="./2.html">2</A></TD>
<TD><A HREF="./3.html">3</A></TD>
<TD><A HREF="./4.html">4</A></TD>
<TD><A HREF="./5.html">5</A></TD>
<TD><A HREF="./6.html">6</A></TD>
<TD><A HREF="./7.html">7</A></TD>
<TD><A HREF="./9.html">9</A></TD>
<TD><A HREF="./10.html">10</A></TD>
<TD><A HREF="./11.html">11</A></TD>
<TD><A HREF="./12.html">12</A></TD>
</tr><tr valign="center" align="center">
<TD><A HREF="./15.html">15</A></TD>
<TD><A HREF="./16.html">16</A></TD>
<TD><A HREF="./18.html">18</A></TD>
<TD><A HREF="./19.html">19</A></TD>
<TD><A HREF="./20.html">20</A></TD>
<TD><A HREF="./21.html">21</A></TD>
<TD><A HREF="./22.html">22</A></TD>
<TD><A HREF="./23.html">23</A></TD>
<TD><A HREF="./24.html">24</A></TD>
<TD><A HREF="./25.html">25</A></TD>
<TD><A HREF="./26.html">26</A></TD>
<TD><A HREF="./27.html">27</A></TD>
<TD><A HREF="./28.html">28</A></TD>
</tr><tr valign="center" align="center">
<TD><A HREF="./29.html">29</A></TD>
<TD><A HREF="./31.html">31</A></TD>
<TD><A HREF="./32.html">32</A></TD>
<TD><A HREF="./33.html">33</A></TD>
<TD><A HREF="./34.html">34</A></TD>
<TD><A HREF="./35.html">35</A></TD>
<TD><A HREF="./36.html">36</A></TD>
<TD><A HREF="./37.html">37</A></TD>
<TD><A HREF="./38.html">38</A></TD>
<TD><A HREF="./39.html">39</A></TD>
<TD><A HREF="./40.html">40</A></TD>
<TD><A HREF="./41.html">41</A></TD>
<TD><A HREF="./42.html">42</A></TD>
<TD><A HREF="./44.html">44</A></TD>
</tr><tr valign="center" align="center">
<TD><A HREF="./45.html">45</A></TD>
<TD><A HREF="./46.html">46</A></TD>
<TD><A HREF="./47.html">47</A></TD>
<TD><A HREF="./48.html">48</A></TD>
<TD><A HREF="./49.html">49</A></TD>
<TD><A HREF="./50.html">50</A></TD>
<TD><A HREF="./51.html">51</A></TD>
<TD><A HREF="./52.html">52</A></TD>
<TD><A HREF="./53.html">53</A></TD>
<TD><A HREF="./54.html">54</A></TD>
<TD><A HREF="./55.html">55</A></TD>
<TD><A HREF="./56.html">56</A></TD>
<TD><A HREF="./57.html">57</A></TD>
<TD><A HREF="./60.html">60</A></TD>
<TD><A HREF="./61.html">61</A></TD>
<TD><A HREF="./62.html">62</A></TD>
<TD><A HREF="./63.html">63</A></TD>
<TD><A HREF="./64.html">64</A></TD>
<TD><A HREF="./65.html">65</A></TD>
<TD><A HREF="./66.html">66</A></TD>
</tr><tr valign="center" align="center">
<TD><A HREF="./67.html">67</A></TD>
<TD><A HREF="./69.html">69</A></TD>
<TD><A HREF="./72.html">72</A></TD>
<TD><A HREF="./76.html">76</A></TD>
<TD><A HREF="./77.html">77</A></TD>
<TD><A HREF="./78.html">78</A></TD>
<TD><A HREF="./79.html">79</A></TD>
<TD><A HREF="./80.html">80</A></TD>
<TD><A HREF="./81.html">81</A></TD>
<TD><A HREF="./82.html">82</A></TD>
<TD><A HREF="./84.html">84</A></TD>
<TD><A HREF="./85.html">85</A></TD>
<TD><A HREF="./86.html">86</A></TD>
<TD><A HREF="./87.html">87</A></TD>
<TD><A HREF="./91.html">91</A></TD>
<TD><A HREF="./94.html">94</A></TD>
<TD><A HREF="./95.html">95</A></TD>
<TD><A HREF="./96.html">96</A></TD>
<TD><A HREF="./97.html">97</A></TD>
<TD><A HREF="./98.html">98</A></TD>
</tr></table>
</P>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<A HREF="../lg_toc36.html"
><IMG SRC="../../gx/indexnew.gif" ALT="[ Table Of Contents ]"></A>
<A HREF="../../index.html"
><IMG SRC="../../gx/homenew.gif" ALT="[ Front Page ]"></A>
<A HREF="../lg_bytes36.html"
><IMG SRC="../../gx/back2.gif" ALT="[ Previous Section ]"></A>
<A HREF="../larriera.html"
><IMG SRC="../../gx/fwd.gif" ALT="[ Next Section ]"></A>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
</BODY></HTML>
<!--endcut ========================================================= -->
|
