On Tue, 2009-05-19 at 09:28 +0200, Ralf Hildebrandt wrote: > * Steve <steve.h...@digitalcertainty.co.uk>: > > Hello 'list'; > > This is my first time out in 'list' land so please don't flame me if I > > get the format wrong. Coaching and constructive criticism is fine ;-) > > {usenet group seems to be almost dead ?} > > > > I've recently noticed that my Postfix is being a naughty bunny. It is > > attempting to query my ISP nameserver to reverse resolve LAN addresses > > defined in my_networks. > > Of course. > It tries to resolve the IP address of all clients connecting. > > > The queries look like this; > > 19-May-2009 7:26:56.489 client <wan_ip>#12345: query: > > 60.1.168.192.in-addr.arpa IN PTR + > > Yes. > > > Which in turn gives this; > > security: warning: client <wan_ip>#12345: RFC 1918 response from > > Internet for 60.1.168.192.in-addr.arpa > > The security warning is broken. Turn it off. > I disagree. It looks like Postfix is broken. Whilst I can see the desire to look up private IP ranges to see if they have a PTR record, it would not be unreasonable to expect it not to do it for trusted clients - such as those defined in 'my_networks'.
Previous use of MailEnable, for example, does not give this issue when doing PTR/Reverse lookups. As a trusted and solid MTA there must be a way to get it to stop leaking rubbish DNS lookups from private networks ?