Viktor Dukhovni:
> On Sun, Nov 23, 2014 at 02:17:23PM -0500, Wietse Venema wrote:
>
> > I have a preference for the design that addresses the problem at a
> > lower level in the stack, so that the solution is not limited to
> > the SMTP client and not limited to inet protocol selection.
> >
> > That code can then also be used to address other forms of trouble
> > that manifest themselves via DNS (for example the next time someone
> > changes the meaning of some corner case, like nullmx).
> >
> > I have a draft implementation that is being tested.
>
> I hope the low level mechanism in question will apply with some
> specificity, e.g. for particular MX hosts among many for the same
> nexthop domain. Some domains mix Google and non-google MX hosts.
It can drop DNS records based on arbitrary criteria, but the initial
use case is to drop *.google.com AAAA records while passing on all
other AAAA records.
postscreen_dns_reply_filter (default: $default_dns_reply_filter)
...
smtp_dns_reply_filter (default: $default_dns_reply_filter)
...
smtpd_dns_reply_filter (default: $default_dns_reply_filter)
...
default_dns_reply_filter (default: empty)
...
Example: ignore Google AAAA records in Postfix SMTP client DNS lookups,
because Google sometimes hard-rejects mail from IPv6 clients with valid
PTR etc. records.
/etc/postfix/main.cf:
smtp_dns_reply_filter = pcre:/etc/postfix/smtp_dns_reply_filter
/etc/postfix/smtp_dns_reply_filter:
# /domain ttl IN AAAA address/ action, all case-insensitive.
# Note: the domain name ends in ".".
/^\S+\.google.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE
The implementation renders a DNS record as a string in the format
that we know from dig(1) and other tools, then matches that string
against a list of lookup tables. Currently, IGNORE is the only
implemented action. It removes the record from the DNS lookup result.
When all DNS lookup result reply records are deleted, it returns a
DNS_NOTFOUND status plus a diagnostic text with "All records
suppressed by policy filter".
Wietse
