[RPZ] RPZ and MX

Vernon Schryver vjs at rhyolite.com
Fri Jun 1 23:22:04 UTC 2012


> From: Fred Morris <m3047 at m3047.net>

> > (as yes rpz can be served to a mailserver, IF and ONLY if its responses
> > have been tailored so it isn't claiming to senders that "their domain
> > dosn't exist"
>
> Can you point me to an RFC which covers this response code? I think what
> you're talking about is a common check, but I don't think it's in any RFC
> whatsoever.

Which RFC prohibits tailoring the text after the standardized 3 digit
string and the standardized string of 3 numbers separated by periods?
Section 4.2 of RFC 5321 does not contain a list of all possible text
strings that can appear after the two standardized strings.  If it
did, the IANA would need a registry of registries for localized versions
of the English strings.


> > when it should be claiming "we are not accepting mail from
> > your domain due to policy"
>
> Too much information in my opinion.

What if it's a false positive?  It's nice to include hints in the text
that is supposed (old Hotmail and other outfits notwithstanding) to
be returned to the sender so that sender can decide whether to try
again, change the message body to avoid naughty words, try another
route, simply shut up, or whatever.

In this particular case, it's polite to tell a human mail sender "you
smell bad" or "you triggered our spam filters" instead of "your domain
name does not exist" so that the human doesn't yell at an innocent DNS
provider.


> In summary rejecting mail because their domain doesn't exist, OR FOR ANY
> OTHER SIMILAR REASON such as internally (within my organization) as NX
> *is* policy based rejection.

Of course, but hints from "you smell bad" to "your domain name is
listed at http://www.domain.com/q=example.com" are valuable.


Vernon Schryver    vjs at rhyolite.com



More information about the DNSfirewalls mailing list