Jim Reid:
> On 2 Aug 2012, at 14:17, Wietse Venema wrote:
>
> > The prime directive for Postfix is to deliver mail reliably without
> > sucking from a performance or human interface point of view, and
> > without granting unnecessary privileges to random strangers.
>
> Too bad your prime directive includes opening connections to port 25
> for 0.0.0.0 when people have misconfigured their MX records. :-)
I have an A record for warez.porcupine.org that resolves to 127.0.0.1.
I could have used 0.0.0.0 instead and have gotten a similar result.
Postfix documentation has plenty examples where sending mail to the
loopback address is entirely legitimate. It would be a mistake to
disallow sending mail to "reserved" address ranges by default. Such
decisions are necessarily site-specific.
This is what I use to exclude mail sources that resolve to a reserved
address range. Note that I exclude sources, not destinations:
/etc/postfix/main.cf:
smtpd_whatever_restrictions =
...
check_sender_mx_access hash:/etc/postfix/mx_access
...
/etc/postfix/mx_access
#64.94.110.11 reject mail host in verisign wild-card domain
127 reject mail host in loopback network
10 reject mail host in reserved network 10
192.168 reject mail host in reserved network 192.168
Other sites may have a local address range in 10.* or 192.168.*,
and therefore can't exclude those as invalid mail sources. There
is no rule that works for everyone.
Wietse
