Argh! (Adelphia, E-mail, iptables, etc.)

bscott at ntisys.com bscott at ntisys.com
Sat Aug 30 18:40:58 EDT 2003


On 29 Aug 2003, at 5:31pm, kclark at cetaceannetworks.com wrote:
>>> I would personally use ssh to do that kind of redirection
>>> On machine a ssh -g -L 25:3.4.5.6:otherport 3.4.5.6
>> 
>> It seems to me that would add needless overhead.  You're already talking
>> about a public data stream (SMTP), so why bother spending the CPU cycles
>> to encrypt it for the last few steps?
> 
> In practice, how would either scheme interact with the anti-spam,
> reverse-DNS schemes employed by certain MTAs?

  Incoming or outgoing?

  Outgoing, the OP can and likely should configure his MTA to relay through
one of Adelphia's SMTP relay servers ("smart host", in Sendmail terms).  No
problem there.  Even if the OP did not do this (and assuming Adelphia did
not block SMTP outbound), the mail would still appear to originate from the
OP's MX on the Adelphia network, as it is only incoming mail that would go
through the redirection discussed previously.

  As for incoming, that is in the control of the OP, so presumably, he can
modify whatever filters he might have in place.  As for specifics...

  Many MTA's come configured to check that the domain part of the SMTP
reverse-path resolves to a potentially mailable domain (has either an MX
record or an A record).  That part will function as before, since it is part
of the SMTP protocol exchange, and happens above the IP layer.

  Now, I have encountered MXs which have been do all sorts of additional
checking.  Some do a reverse DNS look-up on the IP address of the sending
MX.  Some just insist that the PTR record exist.  Others do things like
compare it to the hostname given in HELO/EHLO, or do a forward look-up on
the resulting domain name to see if they get an A record which matches the
original IP address.  This sort of thing is rarely a good idea, as reverse
DNS is neither required by the standards, nor is it consistently available
in practice.  At most, one should use this kind of information as a criteria
in a weighted-scoring system.  (As with third-party blacklists, one should
avoid using any system which considers unreliable information sufficient to
block mail.)  But, again, this is presumably in the control of the OP, who
can disable it if needed.

  Hope that helps.  :-)

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |




More information about the gnhlug-discuss mailing list