Wierd question
Chuck Rock
carock at epconline.com
Tue Jul 3 20:56:41 IST 2007
The server I need to stop receiving mail is not a relay, but the final
destination POP3 account server. It used to be the MX handler for the
domain, but now the new filter server is.
I needed the final destination POP3 mailbox server to reject mail to a
specific domain from every other IP except the new filter server.
Since the POP3 server was a listed MX handler for the domain, it's in caches
and spammer relay lists for the domain. Once the DNS changes have propagated
and most caches have timed out and refreshed, the only mail for that
specific domain still being sent to the old MX ip is junk.
Since the server is still the final destination POP3 mailbox server, it MUST
receive mail for that domain. I just needed to make sure it was only from
the filter and not just any IP.
Since the server hosts hundreds of other domains, I could not just filter
port 25 traffic, it had to be domain specific.
If you use a prefilter setup like a piece of hardware for spam/av filter for
E-mail, you will get spam and other junk bypassing your filter if the old MX
record for the domain will still accept mail from any address for the
filtered domain.
Chuck
-----Original Message-----
From: mailscanner-bounces at lists.mailscanner.info
[mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of Scott Silva
Sent: Monday, July 02, 2007 6:45 PM
To: mailscanner at lists.mailscanner.info
Subject: Re: Wierd question
Chuck Rock spake the following on 7/2/2007 1:14 PM:
> Excellent, I will test.
>
> Basically for the other guy, I had a mail server running MS and clamAV and
> SpamAssassin. All free stuff, works nice mostly.
>
> I purchased a Barracuda to "add" domains to with an extra fee for the
> expensive commercial spam filter.
>
> The final destination server is still the same. I just changed MX so only
> the Barracuda was listed.
>
> What I've found through experience though, servers will continue to send
> mail to the old MX record even though it doesn't exist. I still have
servers
> receiving messages for domains we haven't hosted for years.
>
> To keep the spammers from bypassing the new Barracuda filter inserted in
the
> mail flow, I must make the final destination server ignore messages from
all
> other IP's for incoming mail destined for specific domains and only allow
> them from the new spam filter device IP.
>
> If any of you have a filter like this, and you haven't limited the old MX
> server from receiving mail from just any IP for the domain, spam is
probably
> getting past your new filter.
>
None of my MX's will relay anything that they are not supposed to relay. If
an
MX doesn't need to relay a domain anymore, it should reject it. You want to
reject at the first point of connection, or you have to bounce an NDR and
take
a chance of being a joe-job relay.
In sendmail, you remove that domain from the relay_domains, I'm sure every
other MTA has the same feature. An MX should not blindly relay anything. If
it
relays for one or a hundred domains, that is all it should be configured
for.
Sure it is a little more work, but it doesn't get changed much.
--
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!
--
MailScanner mailing list
mailscanner at lists.mailscanner.info
http://lists.mailscanner.info/mailman/listinfo/mailscanner
Before posting, read http://wiki.mailscanner.info/posting
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list