SRS and Relay Blocking

From Messaging Server Technical Reference Wiki
Revision as of 17:46, 30 April 2017 by BulkPageCreator (Talk | contribs)

Jump to: navigation, search

Prior to the 8.0 release, decoding of SRS addresses happened invisibly before all other address processing (including probing of access mapping tables such as ORIG_SEND_ACCESS), with the result that when a remote site bounced a message from an SRS encoded sender address, the notification message returning to the encoded SRS address came to the MTA which decoded the address to (typically) discover a remote sender address and potentially reject the notification message as an attempt to "relay" (a notification message from a remote site to a remote original sender, in its attempt to pass through the MTA). As of 8.0, the still-SRS-encoded address is used in the ORIG_SEND_ACCESS probe, nullifying this problem. Meantime, in earlier versions, there is an approach to work around this problem.

Configuring with the access_orcpt=2 and modifying the entries of the ORIG_SEND_ACCESS mapping table to expect an ORCPT field in each probe is one way to work around such an issue. In the following example, all the "usual" entries of ORIG_SEND_ACCESS have been modified to expect an additional field in the probe, the "orcpt" field, and an initial entry (prior to the basic tcp_local -> tcp_local block entry) has been added to allow passing through addresses that turn out to be "remote" when the MTA's own SRS encoding is removed:


! Allow "relaying" of responses (such as notification messages) back to 
! those original messages that came from remote senders to originally local 
! recipients which the MTA relayed onwards, SRS-encoded, to remote recipients.
! That is, these are messages (notification messages) from remote sites to
! which local users had forwarded their e-mail, back to original senders to 
! those (forwarding) local users:
! such messages that come in addressed using an SRS encoding with this MTA's
! own srs_domain, but which (once SRS encoding is removed) end up addressed
! back to a "remote" address.
  tcp_local|*|tcp_local|*|rfc822;SRS0=*<srs_domain>    $Y
! Normal relay blocking entry
  tcp_local|*|tcp_local|*|*               $NRelaying$ not$ permitted 
! Block direct submission to MTA "intermediate" channels
  tcp_*|*|native|*|*       $N
  tcp_*|*|hold|*|*         $N
  tcp_*|*|pipe|*|*         $N
! Block direct submission to Message Store delivery channels; 
! routing to such channel should only occur due to MTA address/alias
! processing
  tcp_*|*|ims-ms|*|*        $N
  tcp_*|tcp_lmtpcs*|*|*     $N
! Block "external" submissions of explicitly source-routed "internal" addresses 
  tcp_local|*|tcp_intranet|@*:*.*|*   $N$D30|Explicit$ routing$ not$ allowed 
  tcp_local|*|tcp_intranet|*$%*@*|*   $N$D30|Explicit$ routing$ not$ allowed 
  tcp_local|*|tcp_intranet|*.*!*@*|*  $N$D30|Explicit$ routing$ not$ allowed 
  tcp_local|*|tcp_intranet|"*@*"@*|*  $N$D30|Explicit$ routing$ not$ allowed 

See also: