On Tue, 2009-05-19 at 09:28 +0200, Ralf Hildebrandt wrote:
> * Steve <steve.h...@digitalcertainty.co.uk>:
> > Hello 'list';
> > This is my first time out in 'list' land so please don't flame me if I
> > get the format wrong. Coaching and constructive criticism is fine ;-)
> > {usenet group seems to be almost dead ?}
> >
> > I've recently noticed that my Postfix is being a naughty bunny. It is
> > attempting to query my ISP nameserver to reverse resolve LAN addresses
> > defined in my_networks.
>
> Of course.
> It tries to resolve the IP address of all clients connecting.
>
> > The queries look like this;
> > 19-May-2009 7:26:56.489 client <wan_ip>#12345: query:
> > 60.1.168.192.in-addr.arpa IN PTR +
>
> Yes.
>
> > Which in turn gives this;
> > security: warning: client <wan_ip>#12345: RFC 1918 response from
> > Internet for 60.1.168.192.in-addr.arpa
>
> The security warning is broken. Turn it off.
>
I disagree. It looks like Postfix is broken. Whilst I can see the desire
to look up private IP ranges to see if they have a PTR record, it would
not be unreasonable to expect it not to do it for trusted clients - such
as those defined in 'my_networks'.
Previous use of MailEnable, for example, does not give this issue when
doing PTR/Reverse lookups.
As a trusted and solid MTA there must be a way to get it to stop leaking
rubbish DNS lookups from private networks ?
