Re: numeric domain name in resource data of MX record
- d.hill@... wrote:
> On Wed, 28 May 2008 03:04:59 -0400There are also security implications: you don't want a "stranger" to
> Steven King <sking@...> wrote:
>> Also, check the IP. the 127/8 range is private. It is not publicly
>> accessible or route able.
> Just as previously mentioned, if a sender's MX is in private IP space,
> your response would not reach them.
make one of your mail servers connect to one of your private servers
(reply, dsn, bounce, ... etc).
> Therefore, I have in main.cf:you can add
> smtpd_sender_restrictions =
> check_sender_mx_access cidr:/usr/local/etc/postfix/sender_mx_access,
> 127.0.0.0/8 REJECT MX in loopback network
> 10.0.0.0/8 REJECT MX in non-routable network
> 169.254.0.0/16 REJECT MX in non-routable network
> 172.16.0.0/12 REJECT MX in non-routable network
> 192.168.0.0/16 REJECT MX in non-routable network
and maybe more bogons
Note that this may cause "FPs" because some sites put fake MX entries:
$ host -t mx ahbl.org
ahbl.org mail is handled by 0 mail.sosdg.org.
ahbl.org mail is handled by 10 this.is.a.fake.smtp.server.sosdg.org.
$ host this.is.a.fake.smtp.server.sosdg.org
this.is.a.fake.smtp.server.sosdg.org has address 192.0.2.1
this.is.a.fake.smtp.server.sosdg.org has address 192.0.2.2
this.is.a.fake.smtp.server.sosdg.org has address 192.0.2.3
but I guess you can either ignore these or whitelist them...
you can also add
- known ISP hijacked IPs (for when ISPs convert NXDOMAIN to redirect to
- the wildcard IPs for: .cg, .cm, .la, .nu, ... because there is no way
to validate domains in such TLDs, and bounces/replies/... will cause errors.
$ host -t mx postfixrocks.cg
postfixrocks.cg has no MX record
$ host postfixrocks.cg
postfixrocks.cg has address 184.108.40.206
$ telnet 220.127.116.11 25
telnet: connect to address 18.104.22.168: Connection refused