[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | SEAL |
|
| Moderator: | GALVIA::SMITH |
|
| Created: | Mon Mar 21 1994 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 1989 |
| Total number of notes: | 8209 |
1836.0. "problem w/ wildcard mx record & mail loop" by CSC32::SHEAFFER () Wed Mar 05 1997 13:28
Howdy
I have a customer who ran into a mail message looping on the firewall
due to the wildcard MX record setup for the firewall's domain on an
AFWU 2.1 system. This system was setup w/ open DNS but the problem
would also occur in a hidden DNS environment.
The problem occurs if an internal user sends mail to a domain w/ no MX
or A records. The internal mailhub relays the message to the firewall,
SMTPXD accepts the message and hands it off to sendmail to do the delivery.
Sendmail tries to resolve the MX record and finds none, but due to the
wilcard MX record believes the mailhost is itself. For example, user
sends mail to [email protected], internal mailhub relays to the firewall,
SMTPXD accepts the message and hands it off to sendmail for delivery.
Sendmail tries to lookup the MX record for xyz.com. It finds no MX or
A record exits for xyz.com but does find an MX record of
xzy.com.firewalldomain.com which points to the firewall due
to the wildcard MX record generated by the firewall, that's when the fun
begins. Sendmail connects to the firewall,SMTPXD accepts the connection
and generates an SMTP fake alarm, message is accepted and queued up and
handed off to sendmail looping over and over until mail.log gets big
enough to suck up all the free space on /var or the firewall
administrator notices that they have a problem. The fix was to
remove the wildcard mx record from the zone file for the firewall's
domain.
Any comments?
Danny Sheaffer
Digital Customer Support
[email protected]
| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 1836.1 | consequences of "eating Received headers" again | ANNECY::CHATEL_M | | Wed Mar 05 1997 14:29 | 26 |
| Once again,
Apparently the AFWU product is in some cases removing "Received:"
headers on E-mails in order to hide hostname information. This is
non-compliant to the various SMTP RFCs which make it clear that
the number of "Received:" headers is used to count the number of
hops a mail message has gone through. This hopcount is used
to detect mail loops and drop mail messages (this kind of concept
has been used for ages in many networking protocols).
If some mail gateway wishes to hide hostname information,
it should OVERWRITE the "Received:" headers with meaningless
data but PRESERVE the count of "Received:" headers effectively
present in the message.
What the AVFU is apparently doing is functionally equivalent
to what would happen if an IP router was resetting the Time-to-live
field of an IP packet header before forwarding the packet.
Any transient routing loop could cause serious network consumption
as the bandwidth would be consumed by rapidly looping eternal packets.
This AVFU behavior really SHOULD be fixed...
Marc Chatel @ AEO
|
| 1836.2 | | BIGUN::16.153.176.10::Mayne | Churchill's black dog | Sun Mar 09 1997 16:42 | 4 |
| FWIW some recent discussion in INTERNET_TOOLS said that wildcard MX records are
a *really* bad idea.
PJDM
|