Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Sender Verify on MX Domain

Does Ironport able to reject domain with invalid MX record? (or is it already on the feature list?)

Such as:

# host -t mx yahool.com
yahool.com mail is handled by 0 .

# host -t mx san-ying.com
san-ying.com mail is handled by 10 218.4.48.181.

# host -t mx guitarra.biz
guitarra.biz mail is handled by 0 64.202.167.73.

MTA that already implement this is Exim.

See: http://exim.org/exim-html-4.63/doc/html/spec_html/ch17.html

TIA

4 REPLIES

Re: Sender Verify on MX Domain

What we usually do in HAT is to turn the "envelope sender DNS verification" on.

Ironport will try to determinate if the domain exists. And ironport will do it through dns queries at the domain in the sender.

New Member

Re: Sender Verify on MX Domain

What we usually do in HAT is to turn the "envelope sender DNS verification" on.

Ironport will try to determinate if the domain exists. And ironport will do it through dns queries at the domain in the sender.


It is not just about if the domain exist or not.

What we'd like to achieve is to reject the messages if the domain exist but has invalid MX record entry (such as mx record that has 0, localhost, 127.0.0.1 or any numbers that is not valid for an mx record).

This is not covered by sender DNS verification.

New Member

Reject on Bogus MX

You could use a filter to check the bogusmx.rfc-ignorant.org zone and bounce the message if the envelope sender matches.

See http://www.rfc-ignorant.org for more info.

New Member

Re: Reject on Bogus MX

You could use a filter to check the bogusmx.rfc-ignorant.org zone and bounce the message if the envelope sender matches.

Unless I totally missed it in my search of the v4.7 documentation, AsyncOS only knows how to look up the IP address of the incoming SMTP client in DNSBLs. It doesn't know how to look up the domain name of the MAIL FROM address.

Personally, I wish they'd provide a way to implement these checks directly, rather than having to depend on an external DNSBL. It's not like AsyncOS can't figure it out on its own, since the rules are pretty deterministic. That said, being able to look up the MAIL FROM domain in a DNSBL could have other uses.

1190
Views
0
Helpful
4
Replies