Loading ...
Sorry, an error occurred while loading the content.

Does Postfix understand "MX 0 ." ?

Expand Messages
  • John Levine
    There is a somewhat popular convention that if a domain publishes an MX like this: whatever.example MX 0 . it means the domain does not receive mail. There
    Message 1 of 14 , Jun 25, 2013
    • 0 Attachment
      There is a somewhat popular convention that if a domain publishes an
      MX like this:

      whatever.example MX 0 .

      it means the domain does not receive mail. There was a draft about it
      in 2005 but it's never been formally standardized and the question has
      arisen how widely imlplemented it is.

      I don't see anything about it in the postfix docs. Does Postfix
      do anything special with such an MX? Or if not special, does it
      fail deliveries?

      R's,
      John
    • Wietse Venema
      ... For all Postfix versions, this is an invalid MX hostname. As of Postfix 2.3 an invalid result is a permanent error like NXDOMAIN. In other words Postfix
      Message 2 of 14 , Jun 25, 2013
      • 0 Attachment
        John Levine:
        > There is a somewhat popular convention that if a domain publishes an
        > MX like this:
        >
        > whatever.example MX 0 .
        >
        > it means the domain does not receive mail. There was a draft about it
        > in 2005 but it's never been formally standardized and the question has
        > arisen how widely imlplemented it is.
        >
        > I don't see anything about it in the postfix docs. Does Postfix
        > do anything special with such an MX? Or if not special, does it
        > fail deliveries?

        For all Postfix versions, this is an invalid MX hostname. As of
        Postfix 2.3 an invalid result is a permanent error like NXDOMAIN.

        In other words Postfix does the right thing for "MX 0 ." but
        refuses to treat it like a special case.

        Wietse
      • Jim Reid
        ... Well yes. But it only works as long as there are no A or AAAA records for . in the root zone. If that was ever to change, anyone who adopted this Bad
        Message 3 of 14 , Jun 25, 2013
        • 0 Attachment
          On 25 Jun 2013, at 18:01, "John Levine" <johnl@...> wrote:

          > There is a somewhat popular convention that if a domain publishes an
          > MX like this:
          >
          > whatever.example MX 0 .
          >
          > it means the domain does not receive mail.

          Well yes. But it only "works" as long as there are no A or AAAA records for . in the root zone. If that was ever to change, anyone who adopted this Bad Idea will be in for a nasty surprise.

          > I don't see anything about it in the postfix docs. Does Postfix
          > do anything special with such an MX? Or if not special, does it
          > fail deliveries?

          I don't see why any MTA would need or want to have special code to handle this. Or to deploy such code without a proper RFC underpinning it. [If there was an I-D about this which died all those years ago, that should give a fairly strong hint what the IETF thought of the idea.] IMO there's no justification to make MTAs treat the domain name(s) in the RDATA of some MX records as "special cases" which should be handled differently from other domain names that may be found there.

          If someone doesn't want a domain name to get email, the solution is simple. Don't start an SMTP listener. For bonus points, don't publish MX records for the domain either. Avoid having A or AAAA records too, or at least make sure they go somewhere that doesn't listen for SMTP.
        • John Peach
          On Tue, 25 Jun 2013 18:22:22 +0100 ... It s useful for rejecting email that purports to be from that domain.... [snip] -- John GPG Public Key: 412934AC
          Message 4 of 14 , Jun 25, 2013
          • 0 Attachment
            On Tue, 25 Jun 2013 18:22:22 +0100
            Jim Reid <jim@...> wrote:

            > On 25 Jun 2013, at 18:01, "John Levine" <johnl@...> wrote:
            >
            > > There is a somewhat popular convention that if a domain publishes an
            > > MX like this:
            > >
            > > whatever.example MX 0 .
            > >
            > > it means the domain does not receive mail.
            >
            > Well yes. But it only "works" as long as there are no A or AAAA records for . in the root zone. If that was ever to change, anyone who adopted this Bad Idea will be in for a nasty surprise.

            It's useful for rejecting email that purports to be from that domain....

            [snip]

            --
            John
            GPG Public Key: 412934AC
          • Viktor Dukhovni
            ... Postfix reluctantly supports this: - Bounces mail addressed to such domains. - Refuses mail from such domains when the administrator has chosen to use
            Message 5 of 14 , Jun 25, 2013
            • 0 Attachment
              On Tue, Jun 25, 2013 at 05:01:59PM -0000, John Levine wrote:

              > There is a somewhat popular convention that if a domain publishes an
              > MX like this:
              >
              > whatever.example MX 0 .
              >
              > it means the domain does not receive mail. There was a draft about it
              > in 2005 but it's never been formally standardized and the question has
              > arisen how widely imlplemented it is.
              >
              > I don't see anything about it in the postfix docs. Does Postfix
              > do anything special with such an MX? Or if not special, does it
              > fail deliveries?

              Postfix reluctantly supports this:

              - Bounces mail addressed to such domains.

              - Refuses mail from such domains when the administrator has chosen
              to use "reject_unknown_sender_domain" in SMTP server restrictions.

              --
              Viktor.
            • Viktor Dukhovni
              ... This is inaccurate. Postfix will not perform A/AAAA lookups for . . -- Viktor.
              Message 6 of 14 , Jun 25, 2013
              • 0 Attachment
                On Tue, Jun 25, 2013 at 06:22:22PM +0100, Jim Reid wrote:

                > > it means the domain does not receive mail.
                >
                > Well yes. But it only "works" as long as there are no A or AAAA
                > records for . in the root zone. If that was ever to change, anyone
                > who adopted this Bad Idea will be in for a nasty surprise.

                This is inaccurate. Postfix will not perform A/AAAA lookups for ".".

                --
                Viktor.
              • Jim Reid
                ... True. But postfix is not the only MTA, even if it is the one that gets discussed on this list. :-)
                Message 7 of 14 , Jun 25, 2013
                • 0 Attachment
                  On 25 Jun 2013, at 18:53, Viktor Dukhovni <postfix-users@...> wrote:

                  > This is inaccurate. Postfix will not perform A/AAAA lookups for ".".

                  True. But postfix is not the only MTA, even if it is the one that gets discussed on this list. :-)
                • John Levine
                  ... I would say that if there are A or AAAA records for . we have worse problems than whether some poorly addressed mail bounces. R s, John
                  Message 8 of 14 , Jun 25, 2013
                  • 0 Attachment
                    >> This is inaccurate. Postfix will not perform A/AAAA lookups for ".".
                    >
                    >True. But postfix is not the only MTA, even if it is the one that gets discussed on this list. :-)

                    I would say that if there are A or AAAA records for "." we have worse
                    problems than whether some poorly addressed mail bounces.

                    R's,
                    John
                  • John Levine
                    ... That works , but it will take a week of repeated connection attempts before the message times out. As I think I said, the person who asked has a domain a
                    Message 9 of 14 , Jun 25, 2013
                    • 0 Attachment
                      >If someone doesn't want a domain name to get email, the solution is simple. Don't start an SMTP
                      >listener. For bonus points, don't publish MX records for the domain either. Avoid having A or AAAA
                      >records too, or at least make sure they go somewhere that doesn't listen for SMTP.

                      That "works", but it will take a week of repeated connection attempts
                      before the message times out. As I think I said, the person who asked
                      has a domain a typo away from a very popular one, and would like to
                      get rid of the unwanted traffic efficiently while still having his
                      web server or whatever on the A record.

                      The IETF had and currently has no opinion about this hack either way.
                      I'm trying to figure out whether it's worth resuscitating the draft
                      and publishing it.

                      R's,
                      John
                    • Viktor Dukhovni
                      ... It also acts a joe-job deflector, receiving systems can drop mail alleged to be from the domain as a forgery. Does any MTA other than Postfix implement
                      Message 10 of 14 , Jun 25, 2013
                      • 0 Attachment
                        On Tue, Jun 25, 2013 at 08:55:08PM -0000, John Levine wrote:

                        > > If someone doesn't want a domain name to get email, the solution
                        > > is simple. Don't start an SMTP listener. For bonus points, don't publish
                        > > MX records for the domain either. Avoid having A or AAAA records too, or
                        > > at least make sure they go somewhere that doesn't listen for SMTP.
                        >
                        > That "works", but it will take a week of repeated connection attempts
                        > before the message times out. As I think I said, the person who asked
                        > has a domain a typo away from a very popular one, and would like to
                        > get rid of the unwanted traffic efficiently while still having his
                        > web server or whatever on the A record.
                        >
                        > The IETF had and currently has no opinion about this hack either way.
                        > I'm trying to figure out whether it's worth resuscitating the draft
                        > and publishing it.

                        It also acts a joe-job deflector, receiving systems can drop mail
                        alleged to be from the domain as a forgery.

                        Does any MTA other than Postfix implement nullmx? If this is
                        supported by Exim, Postfix, and Sendmail the rest have insignificant
                        market share on Unix. Leaving largely in some order:

                        - Microsoft Exchange

                        - Gmail

                        - Yahoo

                        - AOL

                        --
                        Viktor.
                      • Jim Reid
                        ... Seems like the right outcome for the circumstances you refer to: the problem lies with the end user who mistyped the domain name -- who does that any more?
                        Message 11 of 14 , Jun 25, 2013
                        • 0 Attachment
                          On 25 Jun 2013, at 21:55, "John Levine" <johnl@...> wrote:

                          > That "works", but it will take a week of repeated connection attempts
                          > before the message times out.

                          Seems like the right outcome for the circumstances you refer to: the problem lies with the end user who mistyped the domain name -- who does that any more? -- and they alone have to take corrective action to deal with the consequences of their mistake. Nobody else needs to do anything or care. Result!

                          > As I think I said, the person who asked
                          > has a domain a typo away from a very popular one, and would like to
                          > get rid of the unwanted traffic efficiently while still having his
                          > web server or whatever on the A record.

                          Tough. Whoever is in that position is presumably making enough money from the ads on his/her "typosquatted" web site to put up with the hassle.

                          > The IETF had and currently has no opinion about this hack either way.
                          > I'm trying to figure out whether it's worth resuscitating the draft
                          > and publishing it.

                          Well go ahead. The last attempt (if there was one) didn't get very far so maybe you'll do better this time round. Just publish the draft and stop talking about doing that.
                        • John Levine
                          ... I did some experiments. My qmail system rejects on nullmx immediately for roughly the same reason postfix does, a general rejection on bad MX records.
                          Message 12 of 14 , Jun 25, 2013
                          • 0 Attachment
                            >Does any MTA other than Postfix implement nullmx?

                            I did some experiments. My qmail system rejects on nullmx immediately
                            for roughly the same reason postfix does, a general rejection on bad
                            MX records.

                            Among web mail, Yahoo rejects immediately, Gmail and AOL don't reject
                            immediately and I don't know yet what will eventually happen, and
                            Hotmail/Outlook.com sometimes gives an odd error message and sometimes
                            sends it, again dunno what will eventually happen.

                            So it's not universally implemented, but there's a significant part
                            of the mail world that does it.

                            R's,
                            John
                          • John Levine
                            ... This is not a typosquat, it s a live domain that happens by coincidence to be close to some other domain that gets a lot of mail, is in use for stuff other
                            Message 13 of 14 , Jun 25, 2013
                            • 0 Attachment
                              >> As I think I said, the person who asked
                              >> has a domain a typo away from a very popular one, and would like to
                              >> get rid of the unwanted traffic efficiently while still having his
                              >> web server or whatever on the A record.
                              >
                              >Tough. Whoever is in that position is presumably making enough money from the ads on his/her
                              >"typosquatted" web site to put up with the hassle.

                              This is not a typosquat, it's a live domain that happens by
                              coincidence to be close to some other domain that gets a lot of mail,
                              is in use for stuff other than e-mail, and wants the mail attempts to
                              stop.

                              But more important, I understand your position to be that anyone who
                              types an invalid domain in an e-mail addresses is a bad person, and
                              deserves to be punished for it by not learning for a week that the
                              message bounced. Interesting viewpoint.

                              R's,
                              John
                            • DTNX Postmaster
                              ... We have a two-letter domain that gets quite a bit of delivery attempts from a three-letter domain that belongs to a large university here. Our registration
                              Message 14 of 14 , Jun 25, 2013
                              • 0 Attachment
                                On Jun 25, 2013, at 23:55, John Levine <johnl@...> wrote:

                                >>> As I think I said, the person who asked
                                >>> has a domain a typo away from a very popular one, and would like to
                                >>> get rid of the unwanted traffic efficiently while still having his
                                >>> web server or whatever on the A record.
                                >>
                                >> Tough. Whoever is in that position is presumably making enough money from the ads on his/her
                                >> "typosquatted" web site to put up with the hassle.
                                >
                                > This is not a typosquat, it's a live domain that happens by
                                > coincidence to be close to some other domain that gets a lot of mail,
                                > is in use for stuff other than e-mail, and wants the mail attempts to
                                > stop.

                                We have a two-letter domain that gets quite a bit of delivery attempts
                                from a three-letter domain that belongs to a large university here. Our
                                registration predates theirs by eight months, but they have both been
                                registered by their original owners for 15+ years.

                                I am not sure how they manage to keep forgetting that extra letter in
                                the days of synced address books and whatnot, especially when the part
                                in front of the @ sign is often ten times as long, but there ya go. It
                                happens.

                                > But more important, I understand your position to be that anyone who
                                > types an invalid domain in an e-mail addresses is a bad person, and
                                > deserves to be punished for it by not learning for a week that the
                                > message bounced. Interesting viewpoint.

                                How about running a basic MTA for that domain on that IP address, one
                                that rejects all mail to said domain? Or adding MX records to another
                                server that does the same?

                                Instant rejection, problem solved?

                                Mvg,
                                Jona
                              Your message has been successfully submitted and would be delivered to recipients shortly.