RE: [vchkpw] Unwanted Local Delivery

[Michael Krieger]

Title: Ingo Claro

Why would you want to do MX lookups on every incoming connection.

If you _REALLY_ want to, look at the mfcheck patch for qmail-smtpd.  While this does it for the mail from, you could enhance it to check for each rcpt, as well as look up MX.  Remember that if no MX exists, you should look up the A record for the domain name itself.  You will also need to follow any MX record and convert it to an IP.  Also keep in mind that your DNS servers may cache for double your TTL on the domains you host, so this won't help you much for quick changes- just long term effects.

Since it doesn't do any quick changes due to caching on your Internal DNS systems, you might as well run a script every day (or more often or less often) to just do lookups of domains in your rcpthosts and notify you if any of the IPs aren't in your subnet, or if you use the same MX for all of them, you can get away with just looking up the MX [knowing that you have MXs, you can skip the other lookups and followup lookups mentioned above].

Who said anything about switching off local delivery?  How would that help you?  You could do the lookups and then create a report of unmatching MX records and send it to your e-mail.

I'd ___HIGHLY___ discourage, if not downright call you names, if you were to automate the removal of these domains (vdeldomain) or any sort of automatic disabling.  Realize that DNS isn't perfect.  Network connectivity isn't perfect.  Domains are left to expire and then renewed after a few days.  Users may transition to another ISP and DNS caches may point to your server for days if not weeks.  One may change a setting by accident.

In any case, in all of these cases, you don't want to delete the mail, settings, users/forwards/lists, or prevent any delivery of mail.  You'll have a lot more pissed off clients if you do that.

Just run a script daily to notify you of domains that don't have you listed as your MX (keeping in mind grepping out things like localhost or the shortname of your server, or being aware of any subdomains and how that can affect things) but are in your rcpthosts.  Use this e-mail to contact users and make educated decisions as to what actions to take, including potentially sending the user their mail, or encouraging them to login to a webmail system to get it before you delete it.

Cheers
-M



Andy BIERLAIR <[EMAIL PROTECTED]> wrote:

So you say that there is no option to simply switch off local delivery and treat everything as coming from the outside? I guess I have to live with that :)

 

How would I do the script based idea below realtime based? I mean, each time an email is sent from the smtp.

 

 

Thanks,

Andy

---

From: Ingo Claro [mailto:[EMAIL PROTECTED]
Sent: Friday, May 19, 2006 18:12
To: vchkpw@inter7.com
Subject: Re: [vchkpw] Unwanted Local Delivery

 

to get only the domains that don't matches you should do:

host -t MX $i | egrep "mail1.thiscouldbeme.com|mail2.thiscouldbemetoo.com" > /dev/null 2>&1 || echo $i


regards,

Ingo Claro F. Gerente de Operaciones [EMAIL PROTECTED] (+56-2) 43 00 155

Certificado ISO 9001:2000

Michael Krieger escribi�:

for i in `cat /var/qmail/control/{more,}rcpthosts`; do
  host -t MX $i | egrep "mail1.thiscouldbeme.com|mail2.thiscouldbemetoo.com" 2>&1 || echo $i
done

Done- will echo everything that does not include your _expression_ in its MX record.  If it has no matches, grep exits 1 and will trigger the echo.  If it matches at least one, then you're set.  You can make more complex expressions or do more tests if you'd like.

-M

Tom Collins <[EMAIL PROTECTED]> wrote:

On May 19, 2006, at 12:46 AM, Andy BIERLAIR wrote:
> How can I force vpopmail/qmail to deliver it to the right MX instead
> to a
> local zombie domain?

You can't.

You possibly need to write an auditing program that goes through the
domains in your rcpthosts and morercpthosts and makes a list of domains
that don't list you as an MX.

--
Tom Collins - [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/