nanog mailing list archives
Re: fixing insecure email infrastructure (was: Re: [eweek article]
From: Mark Andrews <Mark_Andrews () isc org>
Date: Tue, 25 Jan 2005 09:41:08 +1100
On Fri, Jan 14, 2005 at 10:05:05AM +1100, Mark Andrews wrote:What is wrong with MTAMARK?As currently described it doesn't fit well with RFC 2317 style delegations. They would need to be converted to use DNAME instead of CNAME which requires all the delegating servers to be upgraded to support DNAME.How many legit mailservers get their revDNS from RFC 2317 style delegations?
Lots. I'm sure that there are lots of ISPs/IAPs on NANOG that do RFC 2317 style delegations for their customers. Every one of them would need to upgrade their servers to support DNAME. Their clients would also need to upgrade their servers to support DNAME as they should be stealth servers of the parent zone, to allow local lookups to work when the external link is down. If you hace a RFC 2317 style delegation then you are almost certainly doing your own mail support in addition to your own DNS support.
Marking hosts "MTA=no" is an addon for an explicit block. I'd assume most ISPs cannot simply mark their revDNS with "MTA=no" without changing contracts, but even adding "MTA=yes" would be of a lot of help. And it is really easy and doesn't have any negative side effects ;-) \Maex -- SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0 Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299 "The security, stability and reliability of a computer system is reciprocally proportional to the amount of vacuity between the ears of the admin"
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews () isc org
Current thread:
- Re: marking dynamic ranges, was fixing insecure email infrastructure, (continued)
- Re: marking dynamic ranges, was fixing insecure email infrastructure Markus Stumpf (Jan 25)
- Re: marking dynamic ranges, was fixing insecure email infrastructure Suresh Ramasubramanian (Jan 25)
- Message not available
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Mark Andrews (Jan 13)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Owen DeLong (Jan 13)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] william(at)elan.net (Jan 13)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Suresh Ramasubramanian (Jan 13)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Todd Vierling (Jan 14)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Mark Andrews (Jan 14)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Paul Vixie (Jan 14)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Markus Stumpf (Jan 24)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Mark Andrews (Jan 24)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Markus Stumpf (Jan 25)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Mark Andrews (Jan 25)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Markus Stumpf (Jan 25)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Mark Andrews (Jan 25)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Markus Stumpf (Jan 25)
- RE: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet) Joseph Johnson (Jan 13)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet) william(at)elan.net (Jan 12)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonymity" when domain exists, whois not updated yet) Steven Champeon (Jan 13)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonym Stephane Bortzmeyer (Jan 13)
- Re: fixing insecure email infrastructure (was: Re: [eweek article] Window of "anonym Stephane Bortzmeyer (Jan 13)