cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3952
Views
0
Helpful
4
Replies

Sender Verify on MX Domain

Does Ironport able to reject domain with invalid MX record? (or is it already on the feature list?)

Such as:

# host -t mx yahool.com
yahool.com mail is handled by 0 .

# host -t mx san-ying.com
san-ying.com mail is handled by 10 218.4.48.181.

# host -t mx guitarra.biz
guitarra.biz mail is handled by 0 64.202.167.73.

MTA that already implement this is Exim.

See: http://exim.org/exim-html-4.63/doc/html/spec_html/ch17.html

TIA

4 Replies 4

What we usually do in HAT is to turn the "envelope sender DNS verification" on.

Ironport will try to determinate if the domain exists. And ironport will do it through dns queries at the domain in the sender.

What we usually do in HAT is to turn the "envelope sender DNS verification" on.

Ironport will try to determinate if the domain exists. And ironport will do it through dns queries at the domain in the sender.


It is not just about if the domain exist or not.

What we'd like to achieve is to reject the messages if the domain exist but has invalid MX record entry (such as mx record that has 0, localhost, 127.0.0.1 or any numbers that is not valid for an mx record).

This is not covered by sender DNS verification.

bfayne_ironport
Level 1
Level 1

You could use a filter to check the bogusmx.rfc-ignorant.org zone and bounce the message if the envelope sender matches.

See http://www.rfc-ignorant.org for more info.

Donald Nash
Level 3
Level 3

You could use a filter to check the bogusmx.rfc-ignorant.org zone and bounce the message if the envelope sender matches.

Unless I totally missed it in my search of the v4.7 documentation, AsyncOS only knows how to look up the IP address of the incoming SMTP client in DNSBLs. It doesn't know how to look up the domain name of the MAIL FROM address.

Personally, I wish they'd provide a way to implement these checks directly, rather than having to depend on an external DNSBL. It's not like AsyncOS can't figure it out on its own, since the rules are pretty deterministic. That said, being able to look up the MAIL FROM domain in a DNSBL could have other uses.