On 11/22/2014 5:10 PM, Wietse Venema wrote:
Darren Pilgrim:
if ipv4 is still working you could
- modify your local dns resolver to strip the AAAA part in it's answer
for the hosts in question
I thought about that, but the domains in question use DNSSEC and I
generally try not to break other people's protective measures. :)
- modify your local firewall to *reject* outbound connections to the
IPv6 address in question
both are not perfect any may have unwanted side effects.
Considered this as well, but I'm trying to get away from maintaining a
static list of non-static things. Maintaining a host pattern still has
that problem, but it at least gets me some automation if they renumber
or rename their MXes, which I've seen them do.
It could be kludged together with a transport map based on tcp_table
or socketmap, plus some clever scripting to generate the right
transport map responses.
Otherwise this requires new Postfix code. Giving this a few minutes
of thought I came up with two designs.
My simplest design is a new configurable DNS reply filter that can
be used to ignore Google AAAA records (but it can also be used to
ignore other results).
/etc/postfix/main.cf:
smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
/etc/postfix/smtp_dns_reply_filter:
# aspmx.l.google.com. 300 IN AAAA 2607:f8b0:400d:c03::1b
/^\S+\.google\.com\s+\S+\s+\S+\s+aaaa/ ignore
This would go into the Postfix DNS library, where it can be used
to filter queries by all Postfix programs, and provide a new kind
of rope that people can shoot themselves into the feet with.
>
> Downside of this is that it can filter only on things that Postfix
> asks for. For example, it cannot be used to filter on Google's NS
> records because the Postfix SMTP client does not ask for those.
I think this would fit the need. Pushing this down to the application
avoids the DNSSEC invalidation issue with filtering DNS responses.
Let's say the first next hop is an IPv4-only host, but later MXes have
IPv6. Will filtering out A records result in Postfix logging a "host
not found" error and safely moving to the next MX? If so, should the
dns reply filter also log discarded RRs?
