Loading ...
Sorry, an error occurred while loading the content.

Re: numeric domain name in resource data of MX record

Expand Messages
  • mouss
    ... There are also security implications: you don t want a stranger to make one of your mail servers connect to one of your private servers (reply, dsn,
    Message 1 of 6 , May 28, 2008
    • 0 Attachment
      d.hill@... wrote:
      > On Wed, 28 May 2008 03:04:59 -0400
      > Steven King <sking@...> wrote:
      >> Also, check the IP. the 127/8 range is private. It is not publicly
      >> accessible or route able.
      >
      > Just as previously mentioned, if a sender's MX is in private IP space,
      > your response would not reach them.

      There are also security implications: you don't want a "stranger" to
      make one of your mail servers connect to one of your private servers
      (reply, dsn, bounce, ... etc).


      > Therefore, I have in main.cf:
      >
      > smtpd_sender_restrictions =
      > ...
      > check_sender_mx_access cidr:/usr/local/etc/postfix/sender_mx_access,
      > ...
      >
      > sender_mx_access:
      >
      > 127.0.0.0/8 REJECT MX in loopback network
      > 10.0.0.0/8 REJECT MX in non-routable network
      > 169.254.0.0/16 REJECT MX in non-routable network
      > 172.16.0.0/12 REJECT MX in non-routable network
      > 192.168.0.0/16 REJECT MX in non-routable network

      you can add
      0.0.0.0/7
      224.0.0.0/4
      192.0.2.0/24
      ...
      and maybe more bogons
      http://www.cymru.com/Documents/bogon-bn-agg.txt

      Note that this may cause "FPs" because some sites put fake MX entries:
      $ host -t mx ahbl.org
      ahbl.org mail is handled by 0 mail.sosdg.org.
      ahbl.org mail is handled by 10 this.is.a.fake.smtp.server.sosdg.org.
      $ host this.is.a.fake.smtp.server.sosdg.org
      this.is.a.fake.smtp.server.sosdg.org has address 192.0.2.1
      this.is.a.fake.smtp.server.sosdg.org has address 192.0.2.2
      this.is.a.fake.smtp.server.sosdg.org has address 192.0.2.3

      but I guess you can either ignore these or whitelist them...


      you can also add

      - known ISP hijacked IPs (for when ISPs convert NXDOMAIN to redirect to
      chosen servers).

      - the wildcard IPs for: .cg, .cm, .la, .nu, ... because there is no way
      to validate domains in such TLDs, and bounces/replies/... will cause errors.

      $ host -t mx postfixrocks.cg
      postfixrocks.cg has no MX record
      $ host postfixrocks.cg
      postfixrocks.cg has address 64.18.138.88
      $ telnet 64.18.138.88 25
      Trying 64.18.138.88...
      telnet: connect to address 64.18.138.88: Connection refused
    Your message has been successfully submitted and would be delivered to recipients shortly.