Why forwarding is a Bad Thing

[Kevin Darcy]

Jim Reid wrote:

> >>>>> "Kevin" == Kevin Darcy <kcd at daimlerchrysler.com> writes:
>
>     Kevin> As Jim knows, I happen to advocate the use of wildcard MX
>     Kevin> records for outbound mail routing in an internal-root
>     Kevin> context.
>
> And as Kevin knows, I don't.
>
>     Kevin> What I think Jim
>     Kevin> may fail to appreciate, however, is that I advocate it for
>     Kevin> many of the *same* reasons that I advocate *against*
>     Kevin> forwarding -- because it centralizes mail routes (_roughly_
>     Kevin> analogous to name-resolution paths) in a single place,
>     Kevin> where there is a higher probability of competent
>     Kevin> administration. Just as I shudder at the thought of junior
>     Kevin> admins all over the enterprise configuring all sorts of
>     Kevin> screwy, hard-coded, undocumented forwarding kruft, I
>     Kevin> shudder at the though of junior admins all over the
>     Kevin> enterprise configuring all sorts of screwy, hard-coded,
>     Kevin> undocumented mail routing kruft. I'd rather centralize the
>     Kevin> top-level delegation information *and* the top-level mail
>     Kevin> routing information (wildcard MXes) somewhere where I can
>     Kevin> keep a watchful eye on it.
>
> If a properly designed mail architecture is deployed, it's easy to do
> this without the need for complex mail setups or, worse, fouling up
> the DNS with wildcards. [The initial question was about wildcarding in
> general, not just wildcard MX records.] For example in most mail
> systems, it is trivial to configure them to send all non-local mail
> (for some definition of local) to a smart mail relay. It's even
> possible to provide and document company standard configurations for
> those setups. The smart mail relays would be operated by the
> organisation's clueful mail people. ie The complexity and intelligence
> about mail routing and relaying is handled by the systems and people
> that have the resources and skills to do that job reliably.

And, likewise, it's possible to have a "smart" DNS forwarder maintained
by clueful DNS admins and/or to provide and document "company standard
configurations" for DNS forwarding.

"Smarthost" mail routing is just as bad as DNS forwarding. For many of
the same reasons, i.e. more places for traffic to bottleneck, more
configuration work spread out over a greater number of machines therefore
more inter-departmental communication required and a higher probability
of something getting screwed up. Sure, it *can* be done right. But it's
not likely to be. With wildcard MX'es, *I* control how mail gets routed,
not some junior admin hacking away in some component shop somewhere...

The only arguments I recall hearing *against* using wildcard MX'es are
a) that they "pollute" the DNS, and b) that certain old versions of
sendmail couldn't deal with them properly. The "pollution" argument is
just a matter of personal aesthetics, IMO, and the other argument is
obsolete. We've been using wildcard MX'es for outbound mail routing for
years, and no mail server I've ever run across has had a problem with it,
not even those braindead Lotus Notes abominations.


- Kevin