On 22.09.24 12:16, Philipp wrote: > [2024-09-22 09:39] Christian Schulte <c...@schulte.it> >> >> [snip] >> > > There are several problems: > > First of all it's not that simple to know for wich domains your server > is reponsible for. Yes you could check MX recourds and lookup the A > and AAAA records. But a negativ match isn't true, because you might > be a MX later in the chain or run behind some NAT. > > Next when you have a server for outgoing mails and one for incomming > mails the mails within the domain might just be relayed like any other > mail. This way the mails for the "own" domain also flowin like other > mails from extern. There are other setups where your check wouldn't > work.
Does that speak for the setups or against them? I just may not get the reasons for setting up things that way, of course. The different daemons just would need to authenticate to each other and it would work out of the box. That would mean you'd have to enable auth and tls as an option for the MTAs on port 25 without requiring them. > Also (local) table lookups are quite cheep. Even with a few hundred > domains the lookup in memory is mutch cheeper then doing DNS requests. That's my understanding as well. Maybe abusing DNS for this goes way too far. > >> if some third party starts adding MX records to DNS pointing to your >> daemons. This needs a bit more thinking, of course. So if someone evil >> would setup an MX pointing to OpenSMTPD, nothing could happen if >> OpenSMTPD would not allow anything to be sent from such domains without >> authentication/tls etc. > > I would say it's impossible to differ between a MX set by you and a MX > set by someone else. I'm not sure if this would be a real problem, so > it might be ok. > >> Making it behave that way by default clearly >> would be a bit to alien. Having such option would be cool, I think, as >> it would remove the need to change any SMTP configuration whenever >> someone registers a new domain or cancels a domain, because DNS could be >> used for this. You'll have to setup MX records in DNS anyways. No more >> need additionally having to change SMTP configuration in addition. > > General your aproach sounds appealing at the first look. But it completly > missunderstand how OpenSMTPD works. There is no concept of local domains > and external domains. The concept is envelope based. So each envelope is > checked against all matching rules and handled acoording to the action > of the first match. > > To make this clear: I don't think doing MX lookups on the sender domain > is a general bad idea. I just don't think it's a good feature to implement > directly in smtpd or enabled by default. > > OpenSMTPD is flexible enough to add this feature by writing a table or > filter which implements this. There are manpages for the smtpd-tables(7) > and the smtpd-filter(7). Ok. Will take a look at those. Thank you for those pointers. The patch I posted to @tech is based on the "for domain" match option, which also deals with the envelope. What I mean is, if there is a "for domain" match option inspecting the envelope recipient, why not add a "from domain" option inspecting the envelope sender? Does not make things appear inconsistent to me. -- Christian
