橡C01.PDF

Size: px

Start display at page:

Download "橡C01.PDF"

ほのかおおふさ
7 years ago
Views:

1 DNS & Mail ( ) InternetWeek 98 ( ) 1998 Motonori Nakamura, Japan Network Information Center 1

2 DNS(Domain Name System) DNS MTA DNS SPAM DNS Wildcard MX CNAME (Canonical NAME) RR CIDR DNS 3. NULL PPP Firewall 4. SPAM 5. Q&A(SMTP) 2

3 1. ν ν ν MUA (M ail User Agent) M TA (M ail Transfer Agent) DNS (Domain Name System) MUA SM TP M TA DNS SM TP M TA MUA M B POP/IMAP/... mailbox MUA MUA MTA MTA DNS mailbox MUA POP IMAP MUA (Mail User Agent) / UNIX ucbmail, RMAIL, mush, MH (mh-e), mew,... Windows OutLook, Netscape Mail, Eudora,... MTA (Mail Transfer Agent) Store and Forward 3

4 MTA 3 Store and Forward MTA Programs sendmail qmail SMAIL (GNU) MMDF (Multi-channel Memo Distribution, CSNET) exim VMail LSMTP PP (X.400) MTA sendmail qmail SMTP - Simple Mail Transfer Protocol RFC821(S) TCP 25 MTA SMTP DNS SMTP SMTP Simple Mail Transfer Protocol RFC821 (S) RFC (S) TCP 25 telnet 25 SMTP MTA SMTP 4

5 SMTP SMTP 220 r.domain SMTP Server ready ( ( ) HELO s.domain ( ) 250 r.domain Hello s.domain MAIL FROM:<[email protected]> ( ) 250 sender ok RCPT TO:<[email protected]> ( ) 250 recipient ok DATA 354 Enter mail, end with "." on a line by itself. ( ) 250 Message accepted for delivery QUIT 221 r.domain closing connection HELO ok ok DATA QUIT SMTP SMTP MTA MUA MTA 5

6 IP host /etc/hosts NIS (YP) DNS (Domain Name System) web ftp host SMTP IP /etc/hosts NIS DNS IP DNS (Domain Name System) IP IP DNS IP MX IP 1 6

7 MTA : ( ): MTA : 7

8 [email protected] %-Hack Route Address UUCP %-Hack ν RFC1123(S) user % sender relay host relay host 1 user % host % relay1 sender relay1 @ %-Hack SPAM 8

9 %-Hack RFC Route Address RFC822 Route Address ν RFC822(S) Route Address ν host sender relay host relay host host MTA sender relay1 relay2 host UUCP UUCP addressing! ν host! user ν relay! host! user UUCP addressing ν host! domain host! domain (Internet )» sender domain host host! domain» sender host domain (UUCP ) Full Name <user@domain> user@domain (Full Name) user(user Name)@domain(Company Name) ( ) RFC822 9

10 Fully Qualified Domain Name / Fully Qualified Mail Address [email protected] user@mailhost Not Qualified Mail Address user Generic Address [email protected] "Fully Qualified Domain Name" / user@mailhost wide.ad.jp jp FQDN ftp web Fully Qualified Mail Fully Qualify Generic Address 10

11 ν (header) (body) SMTP RFC822(S): Standard for the format of arpa internet text messages ν 2 From: [email protected] To: [email protected] Subject: InternetWeek 98 ( ) InternetWeek 98 MUA (Sender) 1 (Recipient) 1 1 From 1 (envelope) / / RFC821(S): Simple Mail Transfer Protocol UUCP rmail SMTP 11

12 2 MTA (header) / / / : : SMTP "Mail From" "Recieved To" MUA MTA MUA 12

13 MUA MUA MTA MTA SMTP ( ) Errors-To: ( ) From:, Reply-To:, (To:, Cc:) 2 Mailer Daemon Postmaster MTA Errors-To SMTP Errors-To SMTP From Reply-To Cc 13

14 MUA : UNIX POP IMAP UNIX POP IMAP 1) ( ) 2) ( ) 3 1 3) ( ) MTA DNS 3 DNS DNS 2 DNS 3 DNS MTA MB DNS Internet SMTP DNS UUCP (JUNET ) ( ) mailconf sendmail.cf 14

15 MTA DNS UUCP JUNET mailconf sendmail.cf DNS DNS A (Address) RR (Resource Record) IP MX (Mail exchanger) RR CNAME (Canonical NAME) RR DNS 3 A A Address ARR RR Resource Record ARR A MX CNAME DNS A Address nslookup A (1) nslookup % nslookup sh.wide.ad.jp. Server: localhost Address: DNS Name: sh.wide.ad.jp IP Address:

16 IP mail.x.co.jp IN A IN A ( ) DNS (?) DNS IP IP % nslookup jp-gate.wide.ad.jp Server: localhost nslookup Address: IP 1 Name: jp-gate.wide.ad.jp. IP Addresses: , , , IP nslookup A (2) Generic : MX (Mail exchanger) RR [email protected] MX A IP x.co.jp x Generic MX 16

17 wide.ad.jp Generic -q=mx % nslookup -q=mx wide.ad.jp. nslookup mail Server: localhost exchanger=sh.wide.ad.jp Address: wide.ad.jp preference = 10, mail exchanger = sh.wide.ad.jp MX mail exchanger : (additional information) sh.wide.ad.jp internet address = MX ν MX A MX IP 2 Generic MX IP 2 IP MX IP MX A nslookup MX MX 17

18 (MX ) ν x.co.jp preference=10 10,, mx=mail1.x.co.jp preference=50 50,, mx=mail2.x.co.jp ν ( ) ν mail2 mail1 mail1 mail2 sender mail1 2 sender mail1 mail2 mail1 mail2 1 2 mail1 mail2 DNS MX preference MX 2 mail1 mail2 preference preference (MX ) sender MX mail1 mail1 sender mail2 mail2 mail1 mail1 mail2 store and forward 1 mail2 5 1 MTA mail1 sender mail2 mail1 18

19 Lower MX ( ) MX RR sendmail -bt $=w qmail IP IP MX RR RR Lower MX mail2 mail1 mail2 mail2 mail1 MX 2 mail1 2 mail2 mail2 SMTP MX first MX MX lower MX MX MTA sendmail sendmail.cf qmail IP IP MX IP qmail 2 2 MX 3 2 MX MTA MTA preference MX 19

20 x.co.jp preference=10, mx=mail1.x.co.jp. preference=10, mx=mail2.x.co.jp. : preference MX ( ) = 1 Sendmail (CF) ACCEPT_ADDRS qmail /var/qmail/control/locals sendmail (CF) ACCEPT_ADDER qmail locals MX 20

21 ( ) DNS 2 DNS MX RR MX MTA DNS 3 MTA DNS DNS DNS /etc/resolv.conf UNIX DNS DNS resolv.conf 1 Solaris /etc/hosts NIS 21

22 /etc/resolv.conf nameserver (localhost ) nameserver nameserver (MAXNS in resolv.h): (75s) domain sub.x.co.jp search sub1.x.co.jp sub2.x.co.jp x.co.jp resolv.conf nameserver IP FQDN domain search host1 host1.x.co.jp Solaris /etc/nsswitch.conf DEC /etc/svc.conf hosts: files dns ServiceSwitchFile (sendmail.cf) : /etc/service.switch hosts dns files nis Solaris /etc/nsswitch.conf "hosts: files dns" sendmail resolver bind 8 DEC /etc/svc.conf sendmail /etc/service.switch "hosts dns files nis" DNS files /etc/hosts DNS MX 22

23 MX MTA sendmail.mx libresolv.a MX sendmail.cf MX_SENDMAIL=yes (CF) ( Wildcard MX ) MX MTA sendmail Sun 2 sendmail.mx OS sendmail sendmail sendmail.cf mailconf CF STATIC_ROUTE_FILE DNS sendmail -bv sendmail -bt /parse MX sendmail -bt /mx sendmail -v sendmail bv -bt /parse MX sendmail -v 23

24 DNS resolv.conf DNS (MX) ( ) DNS resolv.conf DNS 24

25 2. DNS 1 DNS DNS (Domain Name System) Φ IP /etc/hosts DNS Wildcard MX CIDR /etc/hosts ftp DNS Φ ( ) ( ) jp uk com org ac ad co or root ( ) kyoto-u w ide nic janog ad.jp dom ain jp dom ain jp ac kyoto-u wide root jp jp jp ad jp 25

26 : Delegation( ) TOP domain, 2nd(3rd)-level domain: NIC ( ) root root jp ad ac kyoto-u wide DNS Delegation jp ad wide resolver : 1 / 1 26

27 27

28 root zone x.co.jp zone sub1 co.jp zone x sub2 co jp zone wide.ad.jp zone kyoto jp ad wide tokyo delegation ( ) ad.jp zone net NS nic v6 net zone nic.ad.jp zone v6.wide.ad.jp zone root root root JPNIC root jp jp ad co JPNIC NS x.co.jp co 1 x x wide v6 wide v6 v6 wide x.co.jp x wide wide 28

29 ( ) / ( ) (Primary) / (Secondary) Authorized / Unauthorized / 1 1 primary primary ( ) ( ) ( ) : : ( ) bind 8 ( ) 29

30 A B 1 A B 1 30

31 Authorized Server ( ) Unauthorized Server ( ) ( ) ad Unauthorized ns3 ns1 ns2 Authorized Servers wide.ad.jp (resolv.conf) ( ) ns1 ns2 ns3 3 ns1 wide.ad.jp wide.ad.jp ns1 ns2 ad ns1 ns2 Authorized Servers ns3 ns1 ns3 31

32 authoraized unauthoraized unauthoraized : Unauthoritative Answer : ( ) 1 1 DNS URL jp 2 4 root cache 5 ad 1 6 root wide Φ root server root root server (m.root-servers.net) 2 root jp zone Unauthorized Secondary 3 root root zone (root server) 3 jp zone (ns.nic.ad.jp) ad.jp zone (ns.nic.ad.jp) wide.ad.jp zone (ns.wide.ad.jp) 32

33 jp root jp 4 jp ad 5 ad wide wide www root jp ad wide root jp root root m root DNS Servers Berkeley Internet Name Domain (BIND) Server bind bind Windows NT (?) BIND bind x URL Windoes NT OS UNIX bind 33

34 /etc/named.boot (bind 4) /etc/named.conf (bind 8) named-bootconf.pl named.boot named.conf bind 8 BIND '; ' /etc/named.boot /etc/named.conf bind 8 named-bootconf.pl bind 4 bind 8 bind 8 BIND ; named.boot sample of named.boot (bind 4) ; directory /etc/namedb ; ( ) cache. root.cache ; localhost primary localhost localhost primary in-addr.arpa 127.rev ; primary wide.ad.jp wide primary in-addr.arpa rev ; secondary v6.wide.ad.jp sec/v6 34

35 bind 8 named.conf type hint type hint; }; file "wide"; }; IP sample of named.conf (bind 8) options { zone " in-addr.arpa" { directory "/etc/namedb"; type master; }; file 127.rev"; }; zone "." { zone "wide.ad.jp" { file "root.cache"; type master; zone "localhost" { type master; file "localhost"; localhost in-addr.arpa IP local wide wide IP named.conf }; zone " in-addr.arpa" { type master; file rev"; }; zone "v6.wide.ad.jp" { type slave; file "sec/v6"; masters { ; }; }; root cache ftp://ftp.rs.internic.net/domain/named.root 13 (1997/8) m.root-servers.net Firewall root server Forwarders URL

36 Firewall Firewall Firewall fowarders sample of root.cache ; formerly NS.INTERNIC.NET IN NS A IP sample of root.cache IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET A ; ; formerly NS1.ISI.EDU NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET A : : ; housed in Japan, operated by WIDE NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET A forwarders : socks firewall slave forwarders ( ) slave (options forward-only or later) : forwarders forward forwarders socks firewall socks4 IP bind 4 slave bind 8 options forward-only 36

37 わせをすべてやめて forwarders に指定されたところに聞きに行くという動作になります firewall の場合ですと問い合わせはある特定のサーバにしか行ってはいけないという設定をすることがあると思いますがそのときにこの slave というのを指定しますこれを指定しないともし forwarders ではなくてネームサーバの情報を知っていたときにはそちらに聞きに行こうとしてしまいますのでそのへんを注意しないといけませんこのへんもどういう状況のときにどういう設定をしないといけないかというのはドキュメントをみて頂いたらよいかと思いますキャッシュの有効利用というのはデータを特定のサーバに集めて無駄なトラフィックを抑える回線が細いときなどに有効ということです sample of localhost ; IN sample of 127.rev localhost. SOA ns.wide.ad.jp. postmaster.wide.ad.jp. ( 1 ; Serial number ; Refresh every 2 days 3600 ; Retry every hour ; Expire every 20 days ); Minimum 2 days ; IN ; in-addr.arpa. SOA ns.wide.ad.jp. postmaster.wide.ad.jp. ( 1 ; Serial number ; Refresh every 2 days 3600 ; Retry every hour ; Expire every 20 days ); Minimum 2 days ; IN NS localhost. ; IN A ; IN NS localhost. IN IN IN PTR A PTR loopback-net localhost. ; ネットワークの名前 ; ネットマスク 21 ネームサーバの中の設定の話になってきますがこのようなデータをいろいろ書いていくことになります localhost に関してはあまり他のサーバとの連携というのが発生しませんのでこのような形になるという例として見ておくだけでよいと思います 37 22

38 sample of wide wide ) IN NS ns.tokyo $ORIGIN wide.ad.jp. wide.ad.jp named.conf sh IN A IN A www IN CNAME endo IN SOA localhost NS MX A sample of wide (cont.) ; $ORIGIN IN SOA ns.wide.ad.jp. two.wide.ad.jp. ( ; Serial 3600 ; Refresh 900 ; Retry ; Expire 3600 ; Minimum IN NS ns1.v6 IN A ns IN MX 10 sh.wide.ad.jp. IN MX 20 jp-gate.wide.ad.jp. ns IN A ns.tokyo IN A sample of wide (cont d) jp-gate IN A endo IN A IN MX 10 endo IN CNAME localhost. v6 IN NS ns1.v6 IN NS ns2.v6 ns2.v6 IN A sample of IP in-adder.arpa ; Expire IP IP 61 IN PTR ns.wide.ad.jp. IP sample of (cont.) ; $ORIGIN IN SOA ns.wide.ad.jp. two.wide.ad.jp. ( ) IN NS ; Serial 3600 ; Refresh 900 ; Retry 3600 ; Minimum ns.wide.ad.jp. ns.tokyo.wide.ad.jp. IN NS 63 IN PTR ns.tokyo.wide.ad.jp. 188 IN PTR ns2.v6.wide.ad.jp. 38

39 1 key [ttl] IN r-id value1 value2... < > < > ttl ttl (SOA, NS, A, MX,...) (r-id ) IN r-id(resource-id) Φ ttl (Time To Live) - Φ IN (class-id) - Internet Domain Φ r-id (resource-id) Φ value SOA NA A MX value key key $ORIGIN <domain> named.{boot,conf} $INCLUDE <filename> [<domain>] FQDN. key wide IN IN 39

40 SOA (Start Of Authority) RR SOA Start Of Authority > ( ; Refresh (2d) ; Minimum TTL (2d) [email protected] motonori.wide.ad.jp SOA (Start Of Authority) IN SOA <Pri-NS > < 1 ; Serial 3600 ; Retry ; Expire (20d) ) SOA Serial Sec-NS Refresh ( ) Sec-NS Serial Retry ( ) Refresh Expire ( ) nslookup... *** ns.provider.ad.jp can't find x.co.jp.: Server failed Minimum TTL (time to live) ( ) ( NS ) Serial Serial Refresh Retry Refresh Retry Expire Expire 40

41 1 Serial 20 TTL Minimum TTL 2d IP MX 1 30 Serial Secondary Primary Serial 32. (?) 1.01 = ("." "000" ) ( ):RFC1912(I) (7fffffff) 2 Serial Serial Serial 41

42 Serial Serial 7fffffff 2 1 Serial Serial named SIGHUP # ndc reload bind 8 BIND_NOTIFY Secondary (Serial ) Secondary bind 8 SIGHUP bind 8 BIND_NOTIFY SIGHUP Secondary FORCED_RELOAD SIGHUP named named-xfer # mv mydomain.zone mydomain.zone.bak # ndc restart bind 8 42

43 NS (Name Server) RR NS (Name Server) RR NS A MX CNAME Φ Pri-NS Sec-NS delegation υ Authorized Server NS NS RR υ Unauthorized Server Φ NS A RR glue record ( zone ) $ORIGIN ad.jp. wide IN NS ns.wide.ad.jp. ; ad.jp.zone delegation ns.wide IN A ; glue record NS NS Authorized Server NS Unauthorized Server NS Authorized NS IP IP wide ns.wide.ad.jp. "ns.wide'. ad.jp ORIGIN IP A glue record( ) delegation NS IP A lame ( ) NS lame NS NS lame ( ) NS Φ Authorized Unauthoritative answer Delegation Primary/Secondary NS Φ Authorized NS 43

44 A (Address) RR A RR IP $ORIGIN wide.ad.jp. sh IN A A RFC Φ (A-Z, a-z) Φ (0-9) Φ (-) Φ ( _ ) (_) RFC bind resolver υ υ RFC1035(S), RFC1123(S) (4.9.4 )bind resolver _ (res_hnok) MX MX (Mail exchanger) RR MX MX Φ MX RR MX Φ. Φ MX A ( ) Φ A sh.wide.ad.jp.wide.ad.jp MX (Mail exchanger) RR $ORIGIN IN MX 10 sh.wide.ad.jp. 1st-MX 44

45 MX DNS MX RR Primary MX / Primary Mail Server First MX / First Mail Server Secondary MX / Secondary Mail Server Lower MX ( wide.ad.jp. [email protected] MX MX RR CNAME MX RR CNAME Lower MX MX RR * named MX Lower MX MX MX MX 45

46 Wildcard MX *.x.co.jp. IN MX 10 mail.x.co.jp. Firewall ( ) : : ; root Wildcard MX GW nohost.x.co.jp host.nosubdom.x.co.jp MX MX * Firewall MX MX specific ns.x.co.jp. IN A *.x.co.jp. IN MX 10 mail.x.co.jp. ns.x.co.jp. IN MX 10 mail.x.co.jp. ( ) MX specific MX ns.x.co.jp. MX Wildcard MX [email protected] sendmail.cf ResolverOptions HasWildcardMX MX RR. 46

47 MX Firewall 1 1 MTA sendmail mail.x.co.jp.x.co.jp sendmail MX ResolverOptions HasWildcardMX CNAME (Canonical NAME) RR $ORIGIN archie wide.ad.jp. IN CNAME sun3.tokyo.wide.ad.jp.. CNAME key key CNAME NS, MX CNAME CNAME archie wide IP MX NS CNAME bind 8 CNAME CNAME RR CNAME RR alias1 alias2 RFC1034(S) IN CNAME alias2 IN CNAME real-name (should not) (should) sendmail 10 (MAXCNAMEDEPTH) named 8 (MAXCNAMES) CNAME 47

48 CNAME (RFC1123(S)) ( )sendmail sendmail.cf MX A IETF CNAME DontExpandCnames (8.7 ) sendmail sendmail.cf CNAME RFC sendmail sendmail CNAME CNAME DNS (1) CNAME CNAME : ( ) (2) MX preference preference MX A Additional Information (DNS ) (3) A MX MX (Additional Info. A ) A 2 (MX A) MX : DNS CNAME MX MX A DNS MX additional inmormation MX A MX MX IP 48

49 MX A MX A Secondary MX IP A ( ): / DNS : DNS A MX DNS MX RR A RR MX /etc/resolv.conf domain sub.x.co.jp search sub.x.co.jp x.co.jp co.jp 3 (MAXDFLSRCH) 2 (LOCALDOMAINPARTS) JP domain RFC1535(I) : bind resolver MX resolve.conf FQDN search sub1.x.co.jp sub2.x.co.jp x.co.jp LOCALDOMAIN 6 (MAXDNSRCH) nic.ad.jp nic.ad.jp.sub.x.co.jp nic.ad.jp.x.co.jp 49

50 nic.ad.jp.co.jp RFC1535(I) nic.ad.jp PTR (domain name PoinTeR) RR IP $ORIGIN in-addr.arpa. 73 IN PTR sh.wide.ad.jp. PTR PTR SPAM IP IP : nslookup IP % nslookup -q=ptr in-addr.arpa. (4.8.3 ) nslookup % nslookup

51 netstat -i -r Φ RFC1101(?): DNS Encoding of Network Names and Other Types Φ netstat -i, -r in-addr.arpa. kuins.kyoto-u.ac.jp in-addr.arpa. IN PTR kuins.kyoto-u.ac.jp. IN A IN PTR in-addr.arpa. IN PTR BASE-ADDRESS.MCAST.NET. HINFO, TXT, WKS HINFO 2! NULL, MB, MG, MR, MINFO (experimental) RFC1035(S) AFSDB, ISDN, RP, RT, X25 PX RFC1183(E) RFC1664(E) localhost/127.in-addr.arpa zone root server $ORIGIN my.domain.jp. localhost IN CNAME localhost localhost.my.domain.jp 51

52 CIDR class less /25 A /26 - B (8 ) CNAME : RFC2317(BCP) Classless IN-ADDR.ARPA delegation NS IP RFC CNAME 1 Classless IN-ADDR.ARPA delegation (cont.) Classless IN-ADDR.ARPA delegation (cont d) Φ Φ $ORIGIN in-addr.arpa. $ORIGIN 0/ in-addr.arpa. ; <<0-127>> /25 0/25 NS IN SOA... IN NS ns.a.domain.jp. 1 IN CNAME 1.0/ in-addr.arpa. 1 IN PTR host1.a.domain.jp. 2 IN CNAME 2.0/ in-addr.arpa. 2 IN PTR host2.a.domain.jp. : : 126 IN CNAME 126.0/ in-addr.arpa. 126 IN PTR host126.a.domain.jp CNAME delegation CIDER Classless IN-ADDR.ARPA delegation (cont d) Φ Φ in-addr.arpa. CNAME 1.0/ in-addr.arpa. PTR host1.a.domain.jp. 52

53 glue? Φ 2 Φ bind4.8.3? A B Φ server A: primary of x.co.jp Φ server B: primary of sub.x.co.jp Φ x.co.jp NS (server C) Φ server C glue server A server B zone transfer (cont.) Φ bad referral NS SOA Φ NS points to a CNAME Φ MX points to a CNAME Φ dangling CNAME pointer CNAME Φ Lame server on 'x.co.jp' Authorized Unauthoritative answer (cont d) Φ Response from unexpected source?? Φ zone "xxx" (class 1) SOA serial# (nn) is < ours (mm) SOA serial! RFC1912(I): Common DNS Operational and Configuration Errors 53

54 DNS Dynamic Update Incremental Zone Transfer (IXFR) Security Extention SIG RR, NXT RR bind 8 54

55 Contents λ λ λ λ λ λ NULL PPP Firewall cf (root ) [email protected] [email protected] [email protected] generic ( )UUCP generic generic generic 55

56 generic sendmail (CF ) ACCEPT_ADDRS='x.co.jp' - (!) FROM_ADDRESS='x.co.jp' - - root, daemon, postmaster,... - ACCEPT_ADDRS='sub1.co.jp sub2.x.co.jp' qmail localnames sub1.co.jp sub2.x.co.jp 56

57 NULL Client MS NULL Client NULL Client [] (MS) CF NULL NULL Client λ NULL λ NULL CF_TYPE=R8V7-null SPOOL_HOST=mail.x.co.jp NullClient SPAM CF SPAM λ (lower MX A RR ) [IP ] PPP PPP UNIX IP IP DNS IP ( user@domain ) 57

58 POP (popclient ) PPP DIRECT_DELIVER_DOAINS=none ) ( DEFAULT_RELAY=mail.provider.ne.jp( ) mail.provider.ne.jp NULL Client POP po.provider.ne.jp FROM_ADDRESS=po.provider.ne.jp SMTP_MAILER_FLAG_ADD e FLAG CON_EXP True SMTP CON_EXP=True SMTP_MAILER_FLAG_ADD=e expencive ( ) (mqueue) 30 sendmail -q sendmail -bd 58

59 PPP userdb, usertable check_compat O DialDelay=15s senddmail userdb sertable (SPAM )check_compat sendmail -q IP sendmail DialDelay=15s 1st-MX - 2nd-MX DNS MX (preference ) 1st-MX( ) 2 ( )2nd-MX 1st-MX 1st-MX (2nd-MX ) 59

60 - 1st-MX aliases - ACCEPT_ADDRS= SECONDARY_*= 1st-MX 1st-MX 2nd-MX aliases 1st-MX 1st-MX 2nd-MX aliases ACCEPT_ADDERS wide wide.ad.jp ACCEPT_ADDERS aliases 1st-MX 1st-MX CF SECONDARY 1st-MX aliases - NIS - rdist newaliases - aliases aliases sendmail (R8) aliases OA/etc/aliases, nis: mail.aliases aliases aliases Firewall Wildcard MX $ORIGIN x.co.jp. * IN MX 10 ext-mail.x.co.jp. Wildcard MX GW Firewall DNS 60

61 Wildcard MX proxy DNS root forwarders socks DNS forwarders 61

62 Firewall (1) DNS 1 a. zone split-brain DNS IP a. split-brain DNS zone zone authorization delegation zone delegation zone 62

63 a. Internet (NS) Internet ( ) DNS Firewall( ) DNS a. b. DNS a. DNS DNS DNS DNS a b 1 NS split-brain DNS ( zone ) NS ( ) 14 63

64 Firewall (2) 2 - DNS - DNS a b Firewall Firewall a NS Internet DNS DNS b NS Internet Firewall 2 NS NS DNS MX SPAM 16 64

65 DIRECT_DELIVER_DOMAINS=x.co.jp DEFAULT_RELAY=external.x.co.jp sendmail external.x.co.jp DIRECT_DELIVER_DOMAINS x.co.jp x.co.jp DEFAULT_RELAY STATIC_ROUTE_FILE=x.static x.static : GW [ ] # (internal.x.co.jp) DOM x.co.jp DNS x.co.jp internal.x.co.jp cn x.static (DOM) x.co.jp (GW) ( internal.x.co.jp ) IP internal.x.co.jp IP [email protected] NS, MS 1... a. NS first MX 65

66 inner-host IN MX 10 inner-host IN MX 20 gw 1st-MX b. GW A RR inner-host IN A IN MX 10 gw a. MX MX first MX Firewall IP (GW) inner-host MX inner-host Firewall Firewall GW inner-host Firewall Firewall 75 Firewall. inner-host GW MX 66

67 c. inner.domain.jp inner.domain.jp.local sendmail.cf STATIC_ROUTE_FILE MAP (CF) inner.domain.jp inner.domain.jp.local DNS sendmail.cf.local STATIC_ROUTE_FILE MAP d. 1 / IP named named listen-on, query-source, transfer-source (bind8.1.2) sendmail sendmail O DaemonPortOptions=Address= virtual host. query bind 8 IP configuration listen-on query-source transfer-source IP configuration configuration sendmail (mq) sendmail DaemonPortOptions Address=

68 virtual host IP sendmail virtual host a, b - - bind8 allow-query IP query b A RR 1st-MX TRY_NULL_MX_LIST=True (CF) O TryNullMXList=True (sendmail.cf) local configuration error GW MX MX MX inner-host 68

69 MTA MX MX inner-host sendmail TryNullMXList MX first MTA 69

70 GW DIRECT_DELIVER_DOMAINS=none DEFAULT_RELAY=internal.x.co.jp DIRECT_DELIVER_DOMAINS=x.co.jp DEFAULT_RELAY=internal.x.co.jp qmail control/smtproutes NULL Client DIRECT_DELIVER_DOMAINS DEFAULT_RELAY Firewall Firewall qmail qmail control smtproutes 70

71 1 a) USERTABLE_MAPS='domain1=hash:/etc/map1 domain2=hash:/etc/map2' b) (1) - 1 IP - sendmail O DaemonPortOptions=Address= chroot accept adders USERTABLE_MAPS domain1 map domain1 domain2 a) ) IP etc chroot etc c) (2) - sendmail.cf local mailer - /etc/passwd - POP OS c sendmail local mailer(binmail mail.local ) sendmail local 71

72 mailer POP POP sendmail chroot local mailer (MX) sendmail sendmail SMTP UUCP ML FallBackMX - DNS - MX mqueue 72

73 - sendmail FallBackMX DNS SMTP FallBackMX mqueue OS ( ) MaxMessageSize - - ESMTP MAIL FROM M= - - sendmail MaxMessageSize M= ESMTP ESMTP ESMTP 73

74 SPAM sendmail.cf CT root news postmaster MAILER-DAEMON uucp cron S0 : R $* $: $1 $ $>3 $&f R motonori $ <@> $: trash <> R motonori $ $=T<@$*> $: trash T R $* $ $* $: $1 : motonori sendmail trash 74

75 SMTP UUCP (3.1Wpatch) sendmail 3.1W patch S0 : R $*<@x.co.jp>$* $# smtp $@ x.co.jp $: $1<@x.co.jp>$2 ( ) $# uucp $@ uucp-x $: $1<@x.co.jp>$2 : SMTP UUCP SMTP UUCP (3.1Wpatch) ML SMTP local %= Mlocal, %=0 Msmtp, %=10 (local mailer ) sendmail ML CF localdeliver user@host user+opt@host [email protected]+opt.forward+default.forward+ml [email protected] Samples/virt-domain+.def cf user+opt@host [email protected] 75

76 DNS WildcardMX sendmail sendmail sendmail EightBitMode=pass8 MIME 8bit SendMimeErrors RFC DSN (Delivery Status Notification) ConnectionCacheSize SMTP run queue PostMasterCopy postmaster DoubleBounceAddress MX Firewall DNS 76

77 SPAM SPAM SPAM SPAM ν ν SPAM MX %-Hack %-Hack MX MX ( ) 77

78 (Mail Bombing) (Spam) Unsolicited Commercial (UCE) ( ) Third-Party Mail Relay ->CPU -> SPAM Dos POP IMAP expire SPAM POP 78

79 SMTP λ MTA SMTP 100 MUA MTA SMTP MTA or MUA 41 79

80 SPAM 1 -> -> CPU SPAM 100 SMTP / IP DNS SMTP SMTP SMTP IP 80

81 (header) / (envelope) / UNIX From Return-Path: 81

82 SMTP SMTP HELO mx1.s.domain 250 post.r.domain Hello mx1.s.domain MAIL 250 sender ok RCPT 250 recipient ok DATA 354 Enter mail, end with "." on a line by itself From: [email protected] To: Subject: Newsletter ( ) [ ]. 250 Message accepted for delivery 46 SMTP HELO MAIL FROM RCPT TO SPAM 100 RCPT TO 100 SMTP SMTP SMTP HELO/EHLO MAIL FROM: < > RCPT TO: < > DATA ( SMTP -> SMTP SMTP 82

83 HELO MAIL FROM RCPT TO FROM TO SMTP SMTP SMTP SMTP SMTP SMTP SMTP SMTP SMTP From:? From:? From:? 83

84 FROM FROM FROM FROM SPAM 84

85 FROM FROM ML OK FROM SMTP λ FROM TO OK FROM TO OK? ( ML) FROM TO FROM TO OK? ( ) FROM TO OK? λ SMTP FROM TO NG? (ISP )! FROM TO NG ( ) FROM TO OK ( ML, NG ) FROM TO OK 50 FROM TO FROM TO forward OK 85

86 FROM TO FROM TO OK OK OK OK FROM TO TO FROM ISP AM POP FROM TO FROM TO OK FROM TO OK TO 86

87 f (h, s, r) = OK, NG h - SMTP s - SMTP r - SMTP SMTP SMTP OK sendmail OK From FROM ISP From ISP From ML ISP FROM POP 87

88 To TO MX - MX - MX MX MX MX MX MX qmail sendmail sendmail qmail sendmail sendmail sendmail 8.8/8.9 - sendmail.cf sendmail m4 CF-3.6W - sendmail 8.9 sendmail.cf (m4, CF-3.7W) sendmail.cf CF-3.7W sendmail sendmail.cf 88

89 8.8 sendmail.cf sendmail m4 8.9 CF 8.6 SMTP sendmail.cf sendmail 8.9 CF SMTP sendmail 8.8 sendmail.cf SMTP check_relay check_mail check_rcpt check_compat 89

90 sendmail 8.9 sendmail 8.8 sendmail 8.9 DNS MX MX... SPAM check_rcpt λ ${client_addr} IP OK OK λ ${client_addr} client_adder SMTP OK OK SMTP check_rcpt λ OK IP λ NG λ OK 58 SMTP CF CF LOCAL_HOST_ 90

91 f (src_host,, ) = OK/NG CLIENT_ f (src_host, from_domain, ) = OK/NG ROAM_ f (src_host, from_user, ) = OK/NG LOCAL_HOST_ OK CLIENT_ ROAM_ CLIENT_ IP OK CLIENT_ IP FROM IP CLIENT* IP FROM ROAM_ IP user@domain 91

92 ALLOW_RELAY_FROM ALLOW_RELAY_TO ALLOW_RELAY_FROM f (*, from_domain, ) = OK/NG from_domain ALLOW_RELAY_TO f (,, to_domain) = OK/NG lower MX ALLOW_RELAY_TO IP to_domain OK MX lower MX MX ALLOW_RELAY_FROM FROM from_domain OK IP FROM ISP SPAM (3.1W ) Sendmail IP CIDR W C{Network} /27 C{Network} _MASKED_ADDRESS_MATCH_ maskedaddr map IP sendmail CIDER C sendmail. 92

93 sendmail 3.1W sendmail IP / IP IP MASKED_ADDRESS_MATCH IP qmail /var/qmail/control/rcphosts Lower MX qmail sendmail rcphosts MX lower MX MX sendmail sendmail.cf IP qmail qmail qmail-smtpd RELAYCLIENT 93

94 qmail-smtpd RELAYCLIENT tcp_wrapper tcpserver (ucspi-tcp) tcpserver IDENT tcprules qmail tcp_wrapper tcpserver tcpserver IDENT SMP OK IDENT tcprules WWW SPAM maps URL 94

95 ISP ISP POP 1) POP 2) 3) SMTP 4) 5) sendmail makemap DB sendmail POP IP IP POP OK IP OK POP IP SMTP IP IP POP sendmail makemap sendmail CF POP IP CF SPAM Hormel Foods Corporation 95

96 (Mail Bombing) (Spam) Unsolicited Commercial (UCE) Unsolicited Bulk (UBE)! SPAM SPAM NetNews Web SPAM SPAM SPAM SPAM 96

97 SPAM SPAM SPAM DNS SPAM DNS ( ) ->MAPS RBL SPAM 97

98 (?) ML MTA SPAM SPAM MAPS RBL ORBS DUL SPAM MAPS RBL MAPS RBL MAPS MailAbuseProtectionSystem RealtimeBlackholeList DNS rbl.maps.vix.com A IP DNS rbl.maps.vix.com BGP DNS IP DNS IP rbl.maps.vix.com DNS sendmail MTA Open Relay 98

99 ORBS ORBS Open Relay Blocking System Open Relay Blocking System MAPS RBL orbs.dorkslayers.com A ORBS Open Relay Open Relay sendmail ORBS DNS ORBS DUL DUL ORCA Dial-up User List - MAPS RBL dul.orac.bc.ca A - MAPS RBL SPAM SHUB MAPS ORBS IP 99

100 SPAM 100

101 spammer sendmail (CF) qmail SPAM_LIST* control/badmailfrom sendmail CF SPAM_LIST* qmail badmailfrom SPAM SPAM - user@host (FQDN - DNS - FQDN 101

102 (sendmail 8.9 ) Kcheckaddress regex -a@match ^([0-9]+<@(aol msn).com [0-9][^<]* <@juno.com.{10}[^<]+<@aol.com).?> R $+ $: $(checkaddress $1 $#error $: "553 Header error" ID (8.9 ) HTo: $> CheckTo SCheckTo R friend@$* $#error $: "553 Header error" HMessage-Id: $> CheckMessageId SCheckMessageId R < $+ > $@ OK R $* $#error $: "553 Header error" λ S p am C an l.org/~tim b / spam can/ friend@ to SPAM ID sendmail SpamCan

103 SPAM - (RFC2142 Mailbox Names for Common Services, Roles and Functions) - Network Abuse Clearinghouse ( RFC2142 abuse.net SPAM SPAM <> - Mailer_daemon procmail Mailer_daemon SPAM SPAM 103

104 MTA MTA MTA MTA Firewall Q:POP SMTP A POP < > 104

MUA (Mail User Agent) MTA (Mail Transfer Agent) DNS (Domain Name System) DNS MUA MTA MTA MUA MB mailbox MB

MUA (Mail User Agent) MTA (Mail Transfer Agent) DNS (Domain Name System) DNS MUA MTA MTA MUA MB mailbox MB »» SMTP MAIL FROM: 250 sender ok RCPT TO: 250 recipient

橡C01.PDF

橡C01.PDF