> dear memberrs!
>
> How we can check domain validity on sending a mail.
>
> I am using squirrelmail and I want to restrict my user to able to send a
> email only valid domains. e.g. if some one send a message abc@dkdldld.com
> my
> server first check the domain dkdldld.com if its a valid then send a mail
> otherwise reject.
>
Don't know how to do it in PHP or integrate it into squirrelmail, but
here's a quick set of steps I used in creating a script that checks my
queue every few days and expires messages to domains that either don't
exist or have unreachable MX records:
1) Do an MX query and get ALL the results as a list. If no results are
returned (that is, the domain is valid but has no MX record), use (domain)
as the list. If the domain is invalid, reject the recipient. If there is
exactly one MX record, and it exactly matches a single period ('.'),
reject the recipient (while not RFC-compliant, there is a suggestion out
there that a single period as the MX be used to denote "I don't accept any
mail", and certain domains (such as Yahoo-owned typo variants) use this).
2) Do A record queries against each member of the list of MX records, and
combine all of the results into a single list of IPs. If you get no IP
addresses back, reject the recipient. If ALL of the IPs listed are
RFC1918 addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) or loopback
(127.0.0.0/8), reject the recipient (unless it's one of your internal-only
domains, but then again if that was the case you wouldn't really be asking
this question, would you?) as you can't get to those IPs over the Internet
at large.
3) If you still have IP addresses left after filtering out the
non-routables, accept the recipient and let it queue. This doesn't mean
it will ever get delivered, but since there's a valid MX record with a
valid IP address, you MUST assume that the receiving domain is valid,
since an unsuccessful delivery attempt can be caused by service failures
on their end. It will sit until it expires if there's no server on the
other end, but that's the way SMTP was designed. You can shorten your
queue lifetime if you want to have these timeout sooner, but that can also
cause legitimate mail to timeout if there's a real problem on the other
end or for any number of other reasons that the mail doesn't get delivered
right away.
However, there's another thing for you to consider - how do you handle
emails to multiple recipients? What if one recipient is good and another
is bad? Make sure that if you do reject, you make it clear what you did.
If you reject the whole message, don't deliver it at all and put up a
message to that effect, as well as the offending email address. If you
accept the message but not that particular recipient, you should probably
generate an NDR and deliver it to the user immediately, since that's what
most mail users are expecting. If you don't generate an NDR, you need to
make it very clear that the message was sent to some recipients and not
others, and which recipients fall into each category.
Personally, unless you're seeing tons of mail queueing up for nonexistant
domains, I wouldn't worry about it. And if you are, find out who is using
your webmail to send spam and boot them off your system :)
Josh
--
Joshua Megerman
SJGames MIB #5273 - OGRE AI Testing Division
You can't win; You can't break even; You can't even quit the game.
- Layman's translation of the Laws of Thermodynamics
josh@honorablemenschen.com
|