橡C01.PDF

DNS & Mail ( ) 1998 12 15 InternetWeek 98 ( ) 1998 Motonori Nakamura, Japan Network Information Center 1

DNS(Domain Name System) DNS MTA DNS SPAM 1. 3 2. DNS Wildcard MX CNAME (Canonical NAME) RR CIDR DNS 3. NULL PPP Firewall 4. SPAM 5. Q&A(SMTP) 2

1. ν ν ν MUA (M ail User Agent) M TA (M ail Transfer Agent) DNS (Domain Name System) MUA SM TP M TA DNS SM TP M TA MUA M B POP/IMAP/... mailbox MUA MUA MTA MTA DNS mailbox MUA POP IMAP MUA (Mail User Agent) / UNIX ucbmail, RMAIL, mush, MH (mh-e), mew,... Windows OutLook, Netscape Mail, Eudora,... MTA (Mail Transfer Agent) Store and Forward 3

MTA 3 Store and Forward MTA Programs sendmail qmail SMAIL (GNU) http://www.sendmail.org/ http://www.qmail.org/ MMDF (Multi-channel Memo Distribution, CSNET) exim VMail LSMTP PP (X.400) http://www.exim.org/ http://wzv.win.tue.nl/vmail/ http://www.lsoft.com/lsmtp.html MTA sendmail qmail SMTP - Simple Mail Transfer Protocol RFC821(S) TCP 25 MTA SMTP DNS SMTP SMTP Simple Mail Transfer Protocol RFC821 (S) RFC (S) TCP 25 telnet 25 SMTP MTA SMTP 4

SMTP SMTP 220 r.domain SMTP Server ready ( ( ) HELO s.domain ( ) 250 r.domain Hello s.domain MAIL FROM:<sender@s.domain> ( ) 250 sender ok RCPT TO:<recipient@r.domain> ( ) 250 recipient ok DATA 354 Enter mail, end with "." on a line by itself. ( ) 250 Message accepted for delivery QUIT 221 r.domain closing connection HELO ok ok DATA.... 2. 1 QUIT SMTP SMTP MTA MUA MTA 5

user@host IP host 12.34.56.78 /etc/hosts NIS (YP) DNS (Domain Name System) web ftp URL user@host @ host SMTP IP /etc/hosts NIS DNS IP DNS (Domain Name System) IP IP DNS IP MX @ MX IP 1 6

MTA : ( ): MTA : 7

/ @ motonori@wide.ad.jp %-Hack Route Address UUCP addressing @ %-Hack ν RFC1123(S) user % host @ relay @ sender relay host relay user @ host 1 user % host % relay2 @ relay1 sender relay1 relay2 host @ @ @ %-Hack @ user%host @relay % @ %-Hack SPAM 8

%-Hack RFC Route Address RFC822 Route Address %-Hack @relay: ν RFC822(S) Route Address user@host ν %-Hack @relay: user @ host sender relay host relay user @ host @relay1, @relay2: user @ host MTA sender relay1 relay2 host UUCP UUCP addressing! ν host! user ν relay! host! user UUCP addressing ν host! user @ domain host! user @ domain (Internet )» sender domain host host! user @ domain» sender host domain (UUCP ) Full Name <user@domain> user@domain (Full Name) user(user Name)@domain(Company Name) ( ) RFC822 9

Fully Qualified Domain Name / Fully Qualified Mail Address user@mailhost.wide.ad.jp user@mailhost Not Qualified Mail Address user Generic Address user@wide.ad.jp "Fully Qualified Domain Name" / user@mailhost wide.ad.jp jp FQDN ftp web Fully Qualified Mail Address @ Fully Qualified @ Qualify Qualify @ Generic Address 10

ν (header) (body) SMTP RFC822(S): Standard for the format of arpa internet text messages ν 2 From: announce@nic.ad.jp To: motonori@wide.ad.jp Subject: InternetWeek 98 ( ) InternetWeek 98 MUA (Sender) 1 (Recipient) 1 1 From 1 (envelope) / / RFC821(S): Simple Mail Transfer Protocol UUCP rmail SMTP 11

2 MTA (header) / / / : : SMTP "Mail From" "Recieved To" MUA MTA MUA 12

MUA MUA MTA MTA SMTP ( ) Errors-To: ( ) From:, Reply-To:, (To:, Cc:) 2 Mailer Daemon Postmaster MTA Errors-To SMTP Errors-To SMTP From Reply-To Cc 13

MUA : UNIX POP IMAP UNIX POP IMAP 1) ( ) 2) ( ) 3 1 3) ( ) MTA DNS 3 MTA @ DNS DNS 2 DNS 3 DNS MTA MB DNS Internet SMTP DNS UUCP (JUNET ) ( ) mailconf sendmail.cf 14

MTA DNS UUCP JUNET mailconf sendmail.cf DNS DNS A (Address) RR (Resource Record) IP MX (Mail exchanger) RR CNAME (Canonical NAME) RR DNS 3 A A Address ARR RR Resource Record ARR A MX CNAME DNS A Address nslookup A (1) nslookup % nslookup sh.wide.ad.jp. Server: localhost Address: 127.0.0.1 DNS Name: sh.wide.ad.jp IP Address: 203.178.137.73 15

IP mail.x.co.jp IN A 12.34.56.78 IN A 12.34.54.32 ( ) DNS (?) DNS IP IP % nslookup jp-gate.wide.ad.jp Server: localhost nslookup Address: 127.0.0.1 IP 1 Name: jp-gate.wide.ad.jp. IP Addresses: 203.178.137.17, 203.178.136.81, 203.178.137.75, 203.178.136.89 IP nslookup A (2) Generic : MX (Mail exchanger) RR user@x.co.jp MX A IP x.co.jp x Generic MX 16

wide.ad.jp Generic -q=mx % nslookup -q=mx wide.ad.jp. nslookup mail Server: localhost exchanger=sh.wide.ad.jp Address: 127.0.0.1 wide.ad.jp preference = 10, mail exchanger = sh.wide.ad.jp MX mail exchanger : (additional information) sh.wide.ad.jp internet address = 203.178.137.73 MX ν MX A MX IP 2 Generic MX IP 2 IP MX IP MX A nslookup MX MX 17

(MX ) ν x.co.jp preference=10 10,, mx=mail1.x.co.jp preference=50 50,, mx=mail2.x.co.jp ν ( ) ν mail2 mail1 mail1 mail2 sender mail1 2 sender mail1 mail2 mail1 mail2 1 2 mail1 mail2 DNS MX preference MX 2 mail1 mail2 preference 10 50 preference (MX ) sender MX mail1 mail1 sender mail2 mail2 mail1 mail1 mail2 store and forward 1 mail2 5 1 MTA mail1 sender mail2 mail1 18

Lower MX ( ) MX RR sendmail -bt $=w qmail IP IP MX RR RR Lower MX mail2 mail1 mail2 mail2 mail1 MX 2 mail1 2 mail2 mail2 SMTP MX first MX MX lower MX MX MTA sendmail sendmail.cf qmail IP IP MX IP qmail 2 2 MX 3 2 MX 2 3 3 2 3 MTA MTA preference MX 19

x.co.jp preference=10, mx=mail1.x.co.jp. preference=10, mx=mail2.x.co.jp. : preference MX ( ) = 1 Sendmail (CF) ACCEPT_ADDRS qmail /var/qmail/control/locals sendmail (CF) ACCEPT_ADDER qmail locals MX 20

( ) DNS 2 DNS MX RR MX MTA DNS 3 MTA DNS DNS DNS /etc/resolv.conf UNIX DNS DNS resolv.conf 1 Solaris /etc/hosts NIS 21

/etc/resolv.conf nameserver 0.0.0.0 (localhost - 127.0.0.1 ) nameserver 12.34.56.78 nameserver 12.34.56.79 3 (MAXNS in resolv.h): (75s) domain sub.x.co.jp search sub1.x.co.jp sub2.x.co.jp x.co.jp resolv.conf nameserver IP FQDN domain search host1 host1.x.co.jp Solaris /etc/nsswitch.conf DEC /etc/svc.conf hosts: files dns ServiceSwitchFile (sendmail.cf) : /etc/service.switch hosts dns files nis Solaris /etc/nsswitch.conf "hosts: files dns" sendmail resolver bind 8 DEC /etc/svc.conf sendmail /etc/service.switch "hosts dns files nis" DNS files /etc/hosts DNS MX 22

MX MTA sendmail.mx libresolv.a MX sendmail.cf MX_SENDMAIL=yes (CF) ( Wildcard MX ) MX MTA sendmail Sun 2 sendmail.mx OS sendmail sendmail sendmail.cf mailconf CF STATIC_ROUTE_FILE DNS sendmail -bv sendmail -bt /parse MX sendmail -bt /mx sendmail -v sendmail bv -bt /parse MX sendmail -v 23

DNS resolv.conf DNS (MX) ( ) DNS resolv.conf DNS 24

2. DNS 1 DNS DNS (Domain Name System) Φ IP /etc/hosts DNS Wildcard MX CIDR /etc/hosts ftp DNS Φ ( ) ( ) jp uk com org ac ad co or root ( ) kyoto-u w ide nic janog ad.jp dom ain jp dom ain jp ac kyoto-u wide root jp jp jp ad jp 25

: Delegation( ) TOP domain, 2nd(3rd)-level domain: NIC ( ) root root jp ad ac kyoto-u wide DNS Delegation jp ad wide resolver : 1 / 1 26

root zone x.co.jp zone sub1 co.jp zone x sub2 co jp zone wide.ad.jp zone kyoto jp ad wide tokyo delegation ( ) ad.jp zone net NS nic v6 net zone nic.ad.jp zone v6.wide.ad.jp zone root root root JPNIC root jp jp ad co JPNIC NS x.co.jp co 1 x x wide v6 wide v6 v6 wide x.co.jp x wide wide 28

( ) / ( ) (Primary) / (Secondary) Authorized / Unauthorized / 1 1 primary primary ( ) ( ) ( ) : : ( ) bind 8 ( ) 29

A B 1 A B 1 30

Authorized Server ( ) Unauthorized Server ( ) ( ) ad Unauthorized ns3 ns1 ns2 Authorized Servers wide.ad.jp (resolv.conf) ( ) ns1 ns2 ns3 3 ns1 wide.ad.jp wide.ad.jp ns1 ns2 ad ns1 ns2 Authorized Servers ns3 ns1 ns3 31

authoraized unauthoraized unauthoraized : Unauthoritative Answer : ( ) 1 1 DNS URL 1 www.wide.ad.jp 1 jp 2 4 root cache 5 ad 1 6 root www.wide.ad.jp wide Φ root server root root server (m.root-servers.net) 2 root jp zone Unauthorized Secondary 3 root root zone (root server) 3 jp zone (ns.nic.ad.jp) ad.jp zone (ns.nic.ad.jp) wide.ad.jp zone (ns.wide.ad.jp) 32

jp root jp 4 jp ad 5 ad wide wide www www.wide.ad.jp root jp ad wide root jp root root m root DNS Servers Berkeley Internet Name Domain (BIND) Server bind 4.9.7 bind 8.1.2 http://www.isc.org/bind.html Windows NT (?) BIND 4.9.7 8.1.2 bind 8 4.9.x URL Windoes NT OS UNIX bind 33

/etc/named.boot (bind 4) /etc/named.conf (bind 8) named-bootconf.pl named.boot named.conf bind 8 BIND '; ' /etc/named.boot /etc/named.conf bind 8 named-bootconf.pl bind 4 bind 8 bind 8 BIND ; named.boot sample of named.boot (bind 4) ; directory /etc/namedb ; ( ) cache. root.cache ; localhost primary localhost localhost primary 0.0.127.in-addr.arpa 127.rev ; primary wide.ad.jp wide primary 136.178.203.in-addr.arpa 203.178.136.rev ; secondary v6.wide.ad.jp 203.178.136.188 sec/v6 34

bind 8 named.conf type hint type hint; }; file "wide"; }; IP sample of named.conf (bind 8) options { zone "0.0.127.in-addr.arpa" { directory "/etc/namedb"; type master; }; file 127.rev"; }; zone "." { zone "wide.ad.jp" { file "root.cache"; type master; zone "localhost" { type master; file "localhost"; localhost 0.0.127.in-addr.arpa IP local wide wide IP named.conf }; zone "136.178.203.in-addr.arpa" { type master; file 203.178.136.rev"; }; zone "v6.wide.ad.jp" { type slave; file "sec/v6"; masters { 203.178.136.188; }; }; root cache ftp://ftp.rs.internic.net/domain/named.root 13 (1997/8) m.root-servers.net Firewall root server Forwarders URL 13 8 35

Firewall Firewall Firewall fowarders sample of root.cache ; formerly NS.INTERNIC.NET IN NS A IP sample of root.cache. 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 ; ; formerly NS1.ISI.EDU. 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 : : ; housed in Japan, operated by WIDE. 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 forwarders : socks firewall slave forwarders 12.34.56.79 ( ) slave (options forward-only - 4.9.3 or later) : forwarders forward forwarders socks firewall socks4 IP bind 4 slave bind 8 options forward-only 36

わせをすべてやめて forwarders に指定されたところに聞きに行くという動作になります firewall の場合ですと問い合わせはある特定のサーバにしか行ってはいけないという設定をすることがあると思いますがそのときにこの slave というのを指定しますこれを指定しないともし forwarders ではなくてネームサーバの情報を知っていたときにはそちらに聞きに行こうとしてしまいますのでそのへんを注意しないといけませんこのへんもどういう状況のときにどういう設定をしないといけないかというのはドキュメントをみて頂いたらよいかと思いますキャッシュの有効利用というのはデータを特定のサーバに集めて無駄なトラフィックを抑える回線が細いときなどに有効ということです sample of localhost ; $ORIGIN @ IN sample of 127.rev localhost. SOA ns.wide.ad.jp. postmaster.wide.ad.jp. ( 1 ; Serial number 172800 ; Refresh every 2 days 3600 ; Retry every hour 1728000 ; Expire every 20 days 172800 ); Minimum 2 days ; $ORIGIN @ IN ; 0.0.127.in-addr.arpa. SOA ns.wide.ad.jp. postmaster.wide.ad.jp. ( 1 ; Serial number 172800 ; Refresh every 2 days 3600 ; Retry every hour 1728000 ; Expire every 20 days 172800 ); Minimum 2 days ; IN NS localhost. ; IN A ; 0 127.0.0.1 1 IN NS localhost. IN IN IN PTR A PTR loopback-net. 255.0.0.0 localhost. ; ネットワークの名前 ; ネットマスク 21 ネームサーバの中の設定の話になってきますがこのようなデータをいろいろ書いていくことになります localhost に関してはあまり他のサーバとの連携というのが発生しませんのでこのような形になるという例として見ておくだけでよいと思います 37 22

sample of wide wide ) IN NS ns.tokyo $ORIGIN wide.ad.jp. wide.ad.jp named.conf sh IN A 203.178.137.73 IN A 203.178.136.81 www IN CNAME endo IN SOA localhost NS MX A sample of wide (cont.) ; $ORIGIN wide.ad.jp. @ IN SOA ns.wide.ad.jp. two.wide.ad.jp. ( 1998112301 ; Serial 3600 ; Refresh 900 ; Retry 3600000 ; Expire 3600 ; Minimum IN NS ns1.v6 IN A 163.221.11.21 ns IN MX 10 sh.wide.ad.jp. IN MX 20 jp-gate.wide.ad.jp. ns IN A 203.178.136.63 ns.tokyo IN A 203.178.136.61 sample of wide (cont d) jp-gate IN A 203.178.137.75 endo IN A 203.178.137.71 IN MX 10 endo IN CNAME localhost. v6 IN NS ns1.v6 IN NS ns2.v6 ns2.v6 IN A 203.178.136.188 sample of 203.178.136 IP in-adder.arpa 3600000 ; Expire IP IP 61 IN PTR ns.wide.ad.jp. IP sample of 203.178.136 (cont.) ; $ORIGIN 136.178.203.in-addr.arpa. @ IN SOA ns.wide.ad.jp. two.wide.ad.jp. ( ) IN NS 1998100401 ; Serial 3600 ; Refresh 900 ; Retry 3600 ; Minimum ns.wide.ad.jp. ns.tokyo.wide.ad.jp. IN NS 63 IN PTR ns.tokyo.wide.ad.jp. 188 IN PTR ns2.v6.wide.ad.jp. 38

1 key [ttl] IN r-id value1 value2... < > < > ttl ttl (SOA, NS, A, MX,...) (r-id ) IN r-id(resource-id) Φ ttl (Time To Live) - Φ IN (class-id) - Internet Domain Φ r-id (resource-id) Φ value SOA NA A MX value key key $ORIGIN <domain> named.{boot,conf} $INCLUDE <filename> [<domain>] FQDN. key wide IN IN NS @ 39

SOA (Start Of Authority) RR SOA Start Of Authority > ( 172800 ; Refresh (2d) 172800 ; Minimum TTL (2d) Φ @. motonori.wide.ad.jp @ motonori@wide.ad.jp motonori.wide.ad.jp SOA (Start Of Authority) RR @ IN SOA <Pri-NS > < 1 ; Serial 3600 ; Retry 1728000 ; Expire (20d) ) SOA Serial Sec-NS Refresh ( ) Sec-NS Serial Retry ( ) Refresh Expire ( ) nslookup... *** ns.provider.ad.jp can't find x.co.jp.: Server failed Minimum TTL (time to live) ( ) ( NS ) Serial Serial Refresh Retry Refresh Retry 3600 1 Expire Expire 40

1 Serial 20 TTL Minimum TTL 2d 2 1 2 IP MX 1 30 Serial Secondary Primary Serial 32. (?) 1.01 = 100001 ("." "000" ) 1997122501 100 4294 ( ):RFC1912(I) 1 2147483647(7fffffff) 2 Serial 32 1997122501 1997122501 1997 12 25 1 32 4294. 0 3.. 3. 32 4294 Serial Serial 41

Serial Serial 7fffffff 2 1 Serial Serial named SIGHUP # ndc reload bind 8 BIND_NOTIFY Secondary (Serial ) Secondary bind 8 SIGHUP bind 8 BIND_NOTIFY SIGHUP Secondary FORCED_RELOAD SIGHUP named named-xfer # mv mydomain.zone mydomain.zone.bak # ndc restart bind 8 42

NS (Name Server) RR NS (Name Server) RR NS A MX CNAME Φ Pri-NS Sec-NS delegation υ Authorized Server NS NS RR υ Unauthorized Server Φ NS A RR glue record ( zone ) $ORIGIN ad.jp. wide IN NS ns.wide.ad.jp. ; ad.jp.zone delegation ns.wide IN A 203.178.136.63 ; glue record NS NS Authorized Server NS Unauthorized Server NS Authorized NS IP IP wide ns.wide.ad.jp. "ns.wide'. ad.jp ORIGIN IP A glue record( ) delegation NS IP A lame ( ) NS lame NS NS lame ( ) NS Φ Authorized Unauthoritative answer Delegation Primary/Secondary NS Φ Authorized NS 43

A (Address) RR A RR IP $ORIGIN wide.ad.jp. sh IN A 203.178.137.73 A RFC1035 1123 Φ (A-Z, a-z) Φ (0-9) Φ (-) Φ ( _ ) (_) RFC bind resolver υ υ RFC1035(S), RFC1123(S) (4.9.4 )bind resolver _ (res_hnok) MX MX (Mail exchanger) RR MX MX Φ MX RR MX Φ. Φ MX A ( ) Φ A sh.wide.ad.jp.wide.ad.jp MX (Mail exchanger) RR $ORIGIN wide.ad.jp. @ IN MX 10 sh.wide.ad.jp. 1st-MX 44

MX DNS MX RR Primary MX / Primary Mail Server First MX / First Mail Server Secondary MX / Secondary Mail Server Lower MX ( ) @ wide.ad.jp. user@wide.ad.jp MX MX RR CNAME MX RR CNAME Lower MX MX RR * named MX Lower MX MX MX 2 3 1 MX 45

Wildcard MX *.x.co.jp. IN MX 10 mail.x.co.jp. Firewall ( ) : : ; root Wildcard MX GW nohost.x.co.jp host.nosubdom.x.co.jp MX MX * Firewall MX MX specific ns.x.co.jp. IN A 12.34.56.78 *.x.co.jp. IN MX 10 mail.x.co.jp. ns.x.co.jp. IN MX 10 mail.x.co.jp. ( ) MX specific MX ns.x.co.jp. MX Wildcard MX user@mail.x.co.jp.x.co.jp sendmail.cf ResolverOptions HasWildcardMX MX RR. 46

MX Firewall 1 1 MTA sendmail mail.x.co.jp.x.co.jp sendmail MX ResolverOptions HasWildcardMX CNAME (Canonical NAME) RR $ORIGIN archie wide.ad.jp. IN CNAME sun3.tokyo.wide.ad.jp.. CNAME key key CNAME NS, MX CNAME CNAME archie wide IP MX NS CNAME bind 8 CNAME CNAME RR CNAME RR alias1 alias2 RFC1034(S) IN CNAME alias2 IN CNAME real-name (should not) (should) sendmail 10 (MAXCNAMEDEPTH) named 8 (MAXCNAMES) CNAME 47

CNAME (RFC1123(S)) ( )sendmail sendmail.cf MX A IETF CNAME DontExpandCnames (8.7 ) sendmail sendmail.cf CNAME RFC sendmail sendmail CNAME CNAME DNS (1) CNAME CNAME : ( ) (2) MX preference preference MX A Additional Information (DNS ) (3) A MX MX (Additional Info. A ) A 2 (MX A) MX : DNS CNAME MX MX A DNS MX additional inmormation MX A MX MX IP 48

MX A MX A Secondary MX IP A ( ): / DNS : DNS A MX DNS MX RR A RR MX /etc/resolv.conf domain sub.x.co.jp search sub.x.co.jp x.co.jp co.jp 3 (MAXDFLSRCH) 2 (LOCALDOMAINPARTS) JP domain RFC1535(I) : bind resolver MX resolve.conf FQDN search sub1.x.co.jp sub2.x.co.jp x.co.jp LOCALDOMAIN 6 (MAXDNSRCH) nic.ad.jp nic.ad.jp.sub.x.co.jp nic.ad.jp.x.co.jp 49

nic.ad.jp.co.jp RFC1535(I) nic.ad.jp PTR (domain name PoinTeR) RR IP $ORIGIN 137.178.203.in-addr.arpa. 73 IN PTR sh.wide.ad.jp. PTR PTR SPAM IP IP : nslookup IP 1.2.3.4 % nslookup -q=ptr 4.3.2.1.in-addr.arpa. (4.8.3 ) nslookup % nslookup 1.2.3.4 50

netstat -i -r Φ RFC1101(?): DNS Encoding of Network Names and Other Types Φ netstat -i, -r 0.0.54.130.in-addr.arpa. kuins.kyoto-u.ac.jp. 0.0.0.224.in-addr.arpa. IN PTR kuins.kyoto-u.ac.jp. IN A 255.255.0.0 IN PTR 0.0.54.130.in-addr.arpa. IN PTR BASE-ADDRESS.MCAST.NET. HINFO, TXT, WKS HINFO 2! NULL, MB, MG, MR, MINFO (experimental) RFC1035(S) AFSDB, ISDN, RP, RT, X25 PX RFC1183(E) RFC1664(E) localhost/127.in-addr.arpa zone root server $ORIGIN my.domain.jp. localhost IN CNAME localhost. 127.0.0.1 localhost.my.domain.jp 51

CIDR class less 192.0.2.0/25 A 192.0.2.128/26 - B (8 ) CNAME : RFC2317(BCP) Classless IN-ADDR.ARPA delegation NS IP RFC CNAME 1 Classless IN-ADDR.ARPA delegation (cont.) Classless IN-ADDR.ARPA delegation (cont d) Φ Φ $ORIGIN 2.0.192.in-addr.arpa. $ORIGIN 0/25.2.0.192.in-addr.arpa. ; <<0-127>> /25 0/25 NS ns.a.domain.jp. @ IN SOA... IN NS ns.a.domain.jp. 1 IN CNAME 1.0/25.2.0.192.in-addr.arpa. 1 IN PTR host1.a.domain.jp. 2 IN CNAME 2.0/25.2.0.192.in-addr.arpa. 2 IN PTR host2.a.domain.jp. : : 126 IN CNAME 126.0/25.2.0.192.in-addr.arpa. 126 IN PTR host126.a.domain.jp. 192.0.2.1 CNAME delegation CIDER Classless IN-ADDR.ARPA delegation (cont d) Φ Φ 1.2.0.192.in-addr.arpa. CNAME 1.0/25.2.0.192.in-addr.arpa. PTR host1.a.domain.jp. 52

glue? 4.8.3 Φ 2 Φ bind4.8.3? A B Φ server A: primary of x.co.jp Φ server B: primary of sub.x.co.jp Φ x.co.jp NS (server C) Φ server C glue server A server B zone transfer (cont.) Φ bad referral NS SOA Φ NS points to a CNAME Φ MX points to a CNAME Φ dangling CNAME pointer CNAME Φ Lame server on 'x.co.jp' Authorized Unauthoritative answer (cont d) Φ Response from unexpected source?? Φ zone "xxx" (class 1) SOA serial# (nn) is < ours (mm) SOA serial! RFC1912(I): Common DNS Operational and Configuration Errors 53

DNS Dynamic Update Incremental Zone Transfer (IXFR) Security Extention SIG RR, NXT RR bind 8 54

Contents λ λ λ λ λ λ NULL PPP Firewall cf user@mail.x.co.jp user@x.co.jp user@x.co.jp (root ) user@mail.x.co.jp user@mail.x.co.jp user@x.co.jp generic ( )UUCP generic generic generic 55

generic sendmail (CF ) ACCEPT_ADDRS='x.co.jp' - (!) FROM_ADDRESS='x.co.jp' - - root, daemon, postmaster,... - ACCEPT_ADDRS='sub1.co.jp sub2.x.co.jp' qmail localnames sub1.co.jp sub2.x.co.jp 56

NULL Client MS NULL Client NULL Client [] (MS) CF NULL NULL Client λ NULL λ NULL CF_TYPE=R8V7-null SPOOL_HOST=mail.x.co.jp NullClient SPAM CF SPAM λ (lower MX A RR ) [IP ] PPP PPP UNIX IP IP DNS IP ( user@domain ) 57

POP (popclient ) PPP DIRECT_DELIVER_DOAINS=none ) ( DEFAULT_RELAY=mail.provider.ne.jp( ) mail.provider.ne.jp NULL Client POP po.provider.ne.jp FROM_ADDRESS=po.provider.ne.jp SMTP_MAILER_FLAG_ADD e FLAG CON_EXP True SMTP CON_EXP=True SMTP_MAILER_FLAG_ADD=e expencive ( ) (mqueue) 30 sendmail -q sendmail -bd 58

PPP userdb, usertable check_compat O DialDelay=15s senddmail userdb sertable (SPAM )check_compat sendmail -q IP sendmail DialDelay=15s 1st-MX - 2nd-MX DNS MX (preference ) 1st-MX( ) 2 ( )2nd-MX 1st-MX 1st-MX (2nd-MX ) 59

- 1st-MX aliases - ACCEPT_ADDRS= SECONDARY_*= 1st-MX 1st-MX 2nd-MX aliases 1st-MX 1st-MX 2nd-MX aliases ACCEPT_ADDERS wide wide.ad.jp ACCEPT_ADDERS aliases 1st-MX 1st-MX CF SECONDARY 1st-MX aliases - NIS - rdist newaliases - aliases aliases sendmail (R8) aliases OA/etc/aliases, nis: mail.aliases aliases aliases Firewall Wildcard MX $ORIGIN x.co.jp. * IN MX 10 ext-mail.x.co.jp. Wildcard MX GW Firewall DNS 60

Wildcard MX proxy DNS root forwarders socks DNS forwarders 61

Firewall (1) DNS 1 a. zone split-brain DNS IP a. split-brain DNS zone zone authorization delegation zone delegation zone 62

a. Internet (NS) Internet ( ) DNS Firewall( ) DNS a. b. DNS a. DNS DNS DNS DNS a b 1 NS split-brain DNS ( zone ) NS ( ) 14 63

Firewall (2) 2 - DNS - DNS a b Firewall Firewall a NS Internet DNS DNS b NS Internet Firewall 2 NS NS DNS MX SPAM 16 64

DIRECT_DELIVER_DOMAINS=x.co.jp DEFAULT_RELAY=external.x.co.jp sendmail external.x.co.jp DIRECT_DELIVER_DOMAINS x.co.jp x.co.jp DEFAULT_RELAY STATIC_ROUTE_FILE=x.static x.static : GW [12.34.56.78] # (internal.x.co.jp) DOM x.co.jp DNS x.co.jp internal.x.co.jp cn x.static (DOM) x.co.jp (GW) ( internal.x.co.jp ) IP internal.x.co.jp IP ser@external.x.co.jp NS, MS 1... a. NS first MX 65

inner-host IN MX 10 inner-host IN MX 20 gw 1st-MX b. GW A RR inner-host IN A 12.34.56.78 IN MX 10 gw a. MX MX first MX Firewall IP (GW) inner-host MX inner-host Firewall Firewall GW inner-host Firewall Firewall 75 Firewall. inner-host GW MX 66

c. inner.domain.jp inner.domain.jp.local sendmail.cf STATIC_ROUTE_FILE MAP (CF) inner.domain.jp inner.domain.jp.local DNS sendmail.cf.local STATIC_ROUTE_FILE MAP d. 1 / IP named named listen-on, query-source, transfer-source (bind8.1.2) sendmail sendmail O DaemonPortOptions=Address=12.34.56.78 virtual host. query bind 8 IP configuration listen-on query-source transfer-source IP configuration configuration sendmail (mq) sendmail DaemonPortOptions Address=12.34.56.78 67

virtual host IP sendmail virtual host a, b - - bind8 allow-query IP query b A RR 1st-MX TRY_NULL_MX_LIST=True (CF) O TryNullMXList=True (sendmail.cf) local configuration error GW MX MX MX inner-host 68

MTA MX MX inner-host sendmail TryNullMXList MX first MTA 69

GW DIRECT_DELIVER_DOMAINS=none DEFAULT_RELAY=internal.x.co.jp DIRECT_DELIVER_DOMAINS=x.co.jp DEFAULT_RELAY=internal.x.co.jp qmail control/smtproutes NULL Client DIRECT_DELIVER_DOMAINS DEFAULT_RELAY Firewall Firewall qmail qmail control smtproutes 70

1 a) USERTABLE_MAPS='domain1=hash:/etc/map1 domain2=hash:/etc/map2' b) (1) - 1 IP - sendmail O DaemonPortOptions=Address=1.2.3.4 - chroot accept adders USERTABLE_MAPS domain1 map domain1 domain2 a) ) IP etc chroot etc c) (2) - sendmail.cf local mailer - /etc/passwd - POP OS c sendmail local mailer(binmail mail.local ) sendmail local 71

mailer POP POP sendmail chroot local mailer (MX) sendmail sendmail SMTP UUCP ML FallBackMX - DNS - MX mqueue 72

- sendmail FallBackMX DNS SMTP FallBackMX mqueue OS ( ) MaxMessageSize - - ESMTP MAIL FROM M= - - sendmail MaxMessageSize M= ESMTP ESMTP ESMTP 73

SPAM sendmail.cf CT root news postmaster MAILER-DAEMON uucp cron S0 : R $* $: $1 $ $>3 $&f R motonori $ <@> $: trash <> R motonori $ $=T<@$*> $: trash T R $* $ $* $: $1 : motonori sendmail trash 74

SMTP UUCP (3.1Wpatch) sendmail 3.1W patch S0 : R $*<@x.co.jp>$* $# smtp $@ x.co.jp $: $1<@x.co.jp>$2 ( ) $# uucp $@ uucp-x $: $1<@x.co.jp>$2 : SMTP UUCP SMTP UUCP (3.1Wpatch) ML SMTP local %= Mlocal, %=0 Msmtp, %=10 (local mailer ) sendmail ML CF localdeliver user@host user+opt@host opt@user.host.forward.forward+opt.forward+default.forward+ml ML@user.host Samples/virt-domain+.def cf user+opt@host opt@user.host 75

DNS WildcardMX sendmail sendmail sendmail EightBitMode=pass8 MIME 8bit SendMimeErrors RFC1894 - DSN (Delivery Status Notification) ConnectionCacheSize SMTP run queue PostMasterCopy postmaster DoubleBounceAddress MX Firewall DNS 76

SPAM SPAM SPAM SPAM ν ν SPAM - user%domain@gateway @gateway:user@domain - - MX %-Hack %-Hack MX MX ( ) 77

(Mail Bombing) (Spam) Unsolicited Commercial Email (UCE) ( ) Third-Party Mail Relay ->CPU -> SPAM Dos POP IMAP expire SPAM POP 78

SMTP λ MTA SMTP 100 MUA 100 100 100 MTA SMTP MTA or MUA 41 79

SPAM 1 -> -> CPU SPAM 100 SMTP / IP DNS SMTP SMTP SMTP IP 80

(header) / (envelope) / UNIX From Return-Path: 81

SMTP SMTP HELO mx1.s.domain 250 post.r.domain Hello mx1.s.domain MAIL FROM:<sender@s.domain> 250 sender ok RCPT TO:<recipient@r.domain> 250 recipient ok DATA 354 Enter mail, end with "." on a line by itself From: announce@s.domain To: list @s.domain Subject: Newsletter ( ) [ ]. 250 Message accepted for delivery 46 SMTP HELO MAIL FROM RCPT TO SPAM 100 RCPT TO 100 SMTP SMTP SMTP HELO/EHLO MAIL FROM: < > RCPT TO: < > DATA ( SMTP -> SMTP SMTP 82

HELO MAIL FROM RCPT TO FROM TO SMTP SMTP SMTP SMTP SMTP SMTP SMTP SMTP SMTP From:? From:? From:? 83

FROM FROM FROM FROM SPAM 84

FROM FROM ML OK FROM SMTP λ FROM TO OK FROM TO OK? ( ML) FROM TO FROM TO OK? ( ) FROM TO OK? λ SMTP FROM TO NG? (ISP )! FROM TO NG ( ) FROM TO OK ( ML, NG ) FROM TO OK 50 FROM TO FROM TO forward OK 85

FROM TO FROM TO OK OK OK OK FROM TO TO FROM ISP AM POP FROM TO FROM TO OK FROM TO OK TO 86

f (h, s, r) = OK, NG h - SMTP s - SMTP r - SMTP SMTP SMTP OK sendmail OK From FROM ISP From ISP From ML ISP FROM POP 87

To TO MX - MX - http://www.wide.ad.jp/~motonori/mtachecker.html MX MX MX MX MX MX qmail sendmail sendmail qmail sendmail sendmail 8.8 8.9 sendmail 8.8/8.9 - sendmail.cf sendmail m4 CF-3.6W - sendmail 8.9 sendmail.cf (m4, CF-3.7W) sendmail.cf CF-3.7W sendmail sendmail.cf 88

8.8 sendmail.cf sendmail m4 8.9 CF 8.6 SMTP sendmail.cf sendmail 8.9 CF SMTP sendmail 8.8 sendmail.cf SMTP check_relay check_mail check_rcpt check_compat 89

sendmail 8.9 sendmail 8.8 sendmail 8.9 DNS MX MX... SPAM check_rcpt λ ${client_addr} IP OK OK λ ${client_addr} client_adder SMTP OK OK SMTP check_rcpt λ OK IP λ NG λ OK 58 SMTP CF CF LOCAL_HOST_ 90

f (src_host,, ) = OK/NG CLIENT_ f (src_host, from_domain, ) = OK/NG ROAM_ f (src_host, from_user, ) = OK/NG LOCAL_HOST_ OK CLIENT_ ROAM_ CLIENT_ IP OK CLIENT_ IP FROM IP CLIENT* IP FROM ROAM_ IP user@domain 91

ALLOW_RELAY_FROM ALLOW_RELAY_TO ALLOW_RELAY_FROM f (*, from_domain, ) = OK/NG from_domain ALLOW_RELAY_TO f (,, to_domain) = OK/NG lower MX ALLOW_RELAY_TO IP to_domain OK MX lower MX MX ALLOW_RELAY_FROM FROM from_domain OK IP FROM ISP SPAM (3.1W ) Sendmail IP CIDR 8.9.1+3.1W C{Network} 200.3.4.64/27 C{Network} _MASKED_ADDRESS_MATCH_ 200.3.4.64-200.3.4.91 maskedaddr map IP sendmail CIDER C sendmail. 92

sendmail 3.1W sendmail IP 200.3.4.64/27 200.3.4.64-200.3.4.91 IP IP MASKED_ADDRESS_MATCH IP qmail /var/qmail/control/rcphosts Lower MX qmail sendmail rcphosts MX lower MX MX sendmail sendmail.cf IP qmail qmail qmail-smtpd RELAYCLIENT 93

qmail-smtpd RELAYCLIENT tcp_wrapper tcpserver (ucspi-tcp) tcpserver IDENT tcprules qmail tcp_wrapper tcpserver tcpserver IDENT SMP OK IDENT tcprules WWW http://maps.vix.com/tsi/ar-test.html http://www.wide.ad.jp/~motonori/mtachecker.html SPAM maps URL 94

ISP ISP POP 1) POP 2) 3) SMTP 4) 5) sendmail makemap DB sendmail POP IP IP POP OK IP OK POP IP SMTP IP IP POP sendmail makemap sendmail CF POP IP CF SPAM Hormel Foods Corporation 95

(Mail Bombing) (Spam) Unsolicited Commercial Email (UCE) Unsolicited Bulk Email (UBE)! SPAM SPAM NetNews Web SPAM user@domain.nospam SPAM SPAM SPAM 96

SPAM SPAM SPAM DNS SPAM DNS ( ) ->MAPS RBL SPAM 97

(?) ML MTA SPAM SPAM MAPS RBL ORBS DUL SPAM MAPS RBL MAPS RBL MAPS MailAbuseProtectionSystem RealtimeBlackholeList http://maps.vix.com/rbl/ DNS 4.3.2.1.rbl.maps.vix.com A IP 1.2.3.4 DNS 127.0.0.2 2.0.0.127.rbl.maps.vix.com BGP DNS IP DNS IP rbl.maps.vix.com DNS sendmail MTA Open Relay 98

ORBS ORBS Open Relay Blocking System Open Relay Blocking System http://www.dorkslayers.com/orbs/ MAPS RBL 4.3.2.1.orbs.dorkslayers.com A ORBS Open Relay Open Relay sendmail ORBS DNS ORBS DUL DUL ORCA Dial-up User List - http://www.orac.bc.ca/dul/ MAPS RBL - 4.3.2.1.dul.orac.bc.ca A - MAPS RBL SPAM SHUB MAPS ORBS IP 99

SPAM 100

spammer sendmail (CF) qmail SPAM_LIST* control/badmailfrom sendmail CF SPAM_LIST* qmail badmailfrom SPAM SPAM - @domain - user@host (FQDN - DNS - DNS @domain FQDN 101

(sendmail 8.9 ) Kcheckaddress regex -a@match ^([0-9]+<@(aol msn).com [0-9][^<]* <@juno.com.{10}[^<]+<@aol.com).?> R $+ $: $(checkaddress $1 $) @MATCH $#error $: "553 Header error" ID (8.9 ) HTo: $> CheckTo SCheckTo R friend@$* $#error $: "553 Header error" HMessage-Id: $> CheckMessageId SCheckMessageId R < $+ @ $+ > $@ OK R $* $#error $: "553 Header error" λ S p am C an http://consult.m l.org/~tim b / spam can/ friend@ to SPAM ID sendmail SpamCan 79 102

SPAM abuse@domain - (RFC2142 Mailbox Names for Common Services, Roles and Functions) domain@abuse.net - Network Abuse Clearinghouse (http://www.abuse.net) RFC2142 abuse@domain abuse.net SPAM SPAM <> - Mailer_daemon... - - procmail Mailer_daemon SPAM SPAM 103

MTA MTA MTA MTA Firewall Q:POP SMTP A www.ayamura.org POP < > 104

橡C01.PDF