 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev-Msg | Prev-Thread | Postfix-users | May-2008 | Next-Thread | Next-Msg |
| Subject: | DNSBL results vs 127.* [Was: Problem with Black List] |
| Group: | Postfix-users |
| From: | mouss |
| Date: | 8 May 2008 |
> [snip]
>
> You may be able to fix your problem while still using a broken DNS
> server by specifying a result in your reject_rbl_client setting:
>
> reject_rbl_client cbl.abuseat.org=127.0.0.2
while this works for cbl, doing the same for zen (or any list that has
multiple valid results) is more than annoying. An alternative is to do
dnsbl checks in a policy service and to ignore results that are not in
127.0.0.0/8.
>
> Anyone using a DNS resolver that they do not control or not paying
> very close attention to the status of the DNSBL's they use should be
> specifying results that way. Arguably, the default of treating any
> result in a DNSBL lookup as a hit is a bug.
maybe postfix (and other dnsbl clients) should ignore results that are
outside the 127.0.0.0/8 range?
> ISP resolvers have increasingly been returning bogus A records in
> place of NXDOMAIN in order to funnel web surfers to their own
> advertising pages, and DNSBL zones can end up with wildcards pointing
> to domain-vulture webservers, so taking any result as a hit is dangerous.
While solutions are available for DNSBLs, unreliable DNS services are a
problem anyway. Suppose one of the MXes of a remote domain does not
exist, you don't want to connect to a random server (of course it may
run a mail server, maybe even a nasty one). and how about
reject_unknown_sender_domain and the like?
and running a caching DNS server (with no forwarders to uncontrolled DNS
servers) is not too hard to ask for anyone running a n internet mail
server.
| Prev-Msg | Prev-Thread | Postfix-users | May-2008 | Next-Thread | Next-Msg |