[svlug] Configuring an MTA (was Re: Internet Cables Cut -- Two Articles)

Thu Feb 7 18:09:09 PST 2008

Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):

> IME, Iran is where they have the worst-configured *nix MTAs in the world.
> It seems an OK practice over there to send autoresponses to anyone even
> slightly suspected of spamming, and then repeat those autoresponses over
> and over for an entire week. 

FWIW, the lion's share of spam hitting my IPs has seemed, over the past
couple of years, to come from Korean, Chinese, and Italian IPs.  That's
to the best of my recollection; I haven't done logfile analysis lately.

Somebody who's studied that matter in some depth is Karsten M. Self 
(relying in part on crunching of _my_ MTA logs), e.g., his 2006 paper "CIDR
House Rules" in which he matched ASN numbers (used in border routing) to
spam sources.  See:  http://linuxmafia.com/~karsten/cidr-house-rules.pdf

(Obviously, this has nothing particularly to do with autoresponses, but 
relates to the broader matter of MTA configuration in various countries,
as I suspect much of that spam comes through open forwarders.)

> At one of the recent SF-LUG meetings, the correct response to "How do I
> configure sendmail/postfix/exim to properly route e-mail amongst machines
> on a LAN behind NAT, and still properly gateway that mail to and from the
> Internet?" ended up having to be "Just don't!" because of the endless
> possible issues involved. 

It _can_ be done, but entails solving a couple of issues that you avoid
if you just run your MTA _on_ the gateway, instead.  My impression is
that the people who ask this question are already wedded to a D-Link or
similar "firewall" appliance running in that role, such that they resist 
the notion of exposing a *ix box's outside interface to the big, bad
Internet and letting _it_ do NAT and IP/port filtering, instead -- which
is of course a separate discussion.

In many cases, they're also on dynamic IP, which creates even more
obstacles and configuration issues for MTAs regardless of whether the
gateway's a dedicated appliance or a real *ix box.  That's a difficult
one, because there's still an engrained prejudice against being willing
to either deliver to or accept SMTP mail from a IP in a dynamic block
(with or without a DDNS presence).

It would indeed be good to write up a good set of recommendations for
such scenarios.  I'm probably not the guy for that, lacking a lot of
experience with them.

Alvin wrote:

> now that's hilarious, but i'd say leave reiber out of those comments
> politics was supposed to be dead in this list

<hat="just another subscriber">
I thought it was tacky.

_SVLUG organisational matters_ are off-topic and supposed to go to
the Volunteers mailing list, if anywhere.
</hat>