On 2024-12-18 at 11:50:26 UTC-0500 (Wed, 18 Dec 2024 16:50:26 +0000)
Chris Green via Postfix-users <c...@isbd.net>
is rumored to have said:
On Wed, Dec 18, 2024 at 10:04:49AM -0500, Bill Cole via Postfix-users
wrote:
[snip]
The most common DNS problem I see with mail systems is an
inadequate
DNS resolver. A mail server accepting mail from the Internet MUST
have
a local fully-recursive non-filtering DNS resolver. BIND, Unbound
or
the PowerDNS resolver can all be adequate. DNSMasq can't.
Forwarding to
an external resolver IS NOT adequate.
I run postfix on my Debian 12 system at home with dnsmasq and I've not
seen any problems for many a long year. Most (all?) of my incoming
mail is via the hosting service that actually hosts my 'visible to the
outside world' e-mail addresses though. I.e. all outside users send
mail to domains hosted on my hosting service, it then forwards my mail
to my home server which is a different domain.
Right. Yours is not really operating as an Internet mail exchanger that
has to identify connecting hosts and do all of the lookups involved in
authenticating and spam-filtering email. I have heard rumors that recent
versions of DNSMasq can be configured to do full recursion instead of
its usual model of forwarding queries to one or more upstream resolvers.
I have not bothered trying to do that in many years; it was not possible
circa 2016. If your config includes any mention of forwarding or a
public DNS server other than the root servers, you are not doing full
recursion. *Which may be perfectly fine for your circumstance.*
The worst impact for an exposed mail exchanger ultimately relying on
someone else's DNS recursion and caching is that many DNS-based
reputation and information services block any resolver they see as
making too many queries, including all free public DNS resolvers. Some
public DNS services also filter queries with a goal to protect web
browsing users from undesirable sites, which is unfit for a mail server.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo@toad.social and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
Postfix-users mailing list -- postfix-users@postfix.org
To unsubscribe send an email to postfix-users-le...@postfix.org
