Tuesday, 12. December 2006
PermaLink When is a whitelist not a whitelist?
A while ago I wrote that "Verify Connecting Host Name in DNS" pre-empts both local and DNS whitelists.

I was reminded of this again today by a reader who says:

In our view, this is counterintuitive to the point that it should be classified as a bug. The whitelist is an explicit IP list of good servers. It should be the first list consulted at the protocol level, superseding all other lists. If that were so, one could much more easily recommend turning it on.


It is easy to see why this feature is implemented the way it is - more or less the first thing the Domino server does when accepting an inbound SMTP connection is checking the connecting host name. However, it does not have to make any decision about whether to accept or reject the connection until at the very least after:

  • Checking the connecting host name in DNS.
  • Lookups of the IP and DNS name in local whitelists.
  • Lookups of the IP in DNS whitelists.
  • Lookups of the IP and DNS name in local blacklists.
  • Lookups of the IP in DNS blacklists.
  • HELO
  • MAIL FROM

The earliest point at which a 554 rejection is ever issued by a Domino server is after MAIL FROM (and it sometimes happens later, after RCPT TO or even DATA) and by this time it should be known that an IP with bad or missing DNS is whitelisted.

In other words, I agree. This is counterintuitive behaviour and the usefulness of the "Verify Connecting Host Name in DNS" would be greatly enhanced if it were possible to use the whitelist to override rejection of mail from hosts with bad or missing DNS.

If anyone at IBM is listening, could you fix this please?

Category: Domino: Administration
Technorati:

Comments :

1. Andy Yett14/12/2006 13:49:46
Homepage: http://www.interplex.com


Domino needs to be leading in the battle against spam, not trailing. Making a simple change like this could help greatly. How about including in 7.0.3?



2. Chris Linfoot14/12/2006 14:26:08


I'd certainly vote for that.



3. John Noltensmeyer14/12/2006 18:00:15


I live in fear of enabling the "Verify Connecting Host Name in DNS" option due to an incident where DNS failed on our primary inbound Domino SMTP server. It took several hours for us to detect the problem (server was primary for inbound only so mail wasn't queuing on the box and the DNS problem was specific only to this server) and we rejected EVERY inbound message during that time.

If Domino checked whitelists before attempting to very connecting hosts in DNS, the problem wouldn't have been nearly as significant since we whitelist our major business partners.

Hence I strongly endorse your suggestion.



Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Hot Categories
Domains
IPv6
Internet
Malware
Monthly Archive
2009
2008
2008
2008
2008
2008
Full Archive
Links
CircleID
Anti-Spam Tools
Misc Links
Land banking information
Contact Me
email - Chris Linfoot
Subscribe
Subscribe to articlesArticles

Subscribe to commentsComments