On Sun, 08 Feb 2009, jan gestre wrote: > On Sun, Feb 8, 2009 at 1:35 PM, Victor Duchovni > <victor.ducho...@morganstanley.com> wrote: > > On Sun, Feb 08, 2009 at 01:23:43PM +0800, jan gestre wrote: > > > >> > Don't use ISP DNS servers that fabricate A records. > >> > > >> > >> I'm not using our ISP's DNS , I'm using OpenDNS, I'm using OpenDNS > >> since way back it's only now that I'm getting this strange behavior in > >> my SMTP server. > > > > You should not use OpenDNS or any similar external DNS forwarder with > > Postfix. Especially, when doing RBL lookups. Just run a stand-alone DNS > > cache on your system (127.0.0.1). If you are behind a NAT device that > > de-randomizes UDP query ports, you are likely vulnerable to the Kaminsky > > attack... Running a SOHO incoming mail server is getting increasingly > > difficult, you may need a real SMTP server at a hosting facility. > > Postfix is behind a NAT device (pfSense) that does dnsmasq (dns > forwarder), no machine is allowed to connect to port 53 except the NAT > device. > > The initial configuration is NAT Firewall > Untangle in bridge mode > > postfix, but since telnet to postfix's smtp port produces an odd > result when it's behind the Untangle box so I took Untangle out.
Thanks but all of this is missing the point. Re-read Viktor's email and stop using OpenDNS with Postfix. -- Sahil Tandon <sa...@tandon.net>
