Re: Email forwarding and RBL trouble

Thanks a lot all, it's all clear to me now! I though that the trusted networks mean that the message will just be passed it it came from that source.
I didnt know it will skip to the next "Received" IP. Thanks a lot.

One question about the "backscatter" problem though, if I understand correctly it is always my Exchange server (the machine inline with SA) who will send out "user does not exist" messages, right? The backup MX will merely try to forward it and the Exchange server decides if that mail address exists or not. I think Exchange is configured the right way in such a way that it knows what users it has on the system..

I would really like to drop the second mx altogether but policy forbids it :)

Thanks for all the help guys!

Rense

Bowie Bailey wrote:
> Rense Buijen wrote:
>
>> Mathhias,
>>
>> The problem is that when the mail enters the backup MX, we dont know
>> if that mail is blacklisted at for instance spamcop.
>> So if the backup mx accepts the mail (because it's dumb and it will
>> accept it), and my primary mx (SA) has set the backup mx as trusted
>> network/source, the mail will be delivered while it should not have
>> been. You see the problem? SA cannot see if the mail that has been
>> forwarded by my backup MX is valid (black/whitelisted) or not because
>> it cannot check the IP against the RBL, it will lookup the wrong IP.
>> And it should do this because there is NO rbl checking on the backup
>> MX itself...
>>
>
> You are making assumptions about what trusted_networks implies. Just
> because mail comes from a machine in your trusted_networks doesn't mean
> that it will not be scanned. The ONLY thing that trusted_networks means
> is that you trust those machines to put valid header information in the
> message. It does NOT mean that you trust them not to forward spam.
>
> For your configuration, you need to put your backup MX into
> trusted_networks in order for the RBLs to work properly.
>
> The real problem with this setup is that once your backup MX starts
> forwarding messages to the primary and spam is rejected, then your
> backup is in the bad position of having to issue a delivery notification
> to the sender. This is bad because most spam and viruses fake the
> sender information. So most of your bounces will be going to the wrong
> person. This is called "backscatter" and is another form of spam. A
> mailserver should not accept mail that it will not be able to deliver.
>
> I would suggest that you either configure your backup the same as your
> primary, or just drop the backup altogether. Without the backup, the
> sending MTAs will still retry the message (usually for at least a couple
> of days), so you don't lose anything unless your MX is down for an
> extended period of time.
>
>

-- 
Met vriendelijke groeten,

Rense Buijen
Chess Service Management
Tel.: 023-5149250
Email: Servicedesk@chess.nl