On Sun, Feb 08, 2009 at 02:02:14PM +0800, jan gestre wrote:
> > You should not use OpenDNS or any similar external DNS forwarder with
> > Postfix. Especially, when doing RBL lookups. Just run a stand-alone DNS
> > cache on your system (127.0.0.1). If you are behind a NAT device that
> > de-randomizes UDP query ports, you are likely vulnerable to the Kaminsky
> > attack... Running a SOHO incoming mail server is getting increasingly
> > difficult, you may need a real SMTP server at a hosting facility.
> >
>
> Postfix is behind a NAT device (pfSense) that does dnsmasq (dns
> forwarder), no machine is allowed to connect to port 53 except the NAT
> device.
This does not protect you from the Kaminsky attack. A cryptographically
strong port-randomizing NAT is required. Most consumer NAT devices
probably don't measure up... In any case, it is still likely that your
RBL hits are a result of your DNS configuration. Good luck.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
