On 09-12-15 17:46, sb wrote: > > In what follows, "(secure)" means authenticated DNSSEC response, > "(insecure)" means spoofable DNS response. > >> ... Received: from spike.porcupine.org (spike.porcupine.org >> [IPv6:2604:8d00:189::2]) by english-breakfast.cloud9.net >> (Postfix) with ESMTP id E5B44331FA3 for >> <postfix-users@postfix.org>; Mon, 7 Dec 2015 13:19:20 -0500 >> (EST) Received: by spike.porcupine.org (Postfix, from userid >> 1001) id 3pDtFh4YYszJrQ6; Mon, 7 Dec 2015 13:19:20 -0500 (EST) > >> unbound-host -rvD spike.porcupine.org <snip> >> unbound-host -rvD postfix.org <snip> > >> /opt/org.OpenServer/port-53/sbin/unbound-host -rvD >> mail.cloud9.net <snip> >
Most DNSxLs are ip based, not hostname based. The client's ip is provided by the tcp/ip stack of our own server. No DNSSEC needed. > > Is there a good DNSWL we can use? > >> unbound-host -rvD 7.1.100.168.list.dnswl.org > unbound-host -rvD 7.1.100.168.list.dnswl.org <snip> > > So, postfix.org e-mail originates from a non-whitelisted IP, > assuming we checked the right IPs for lack of DNSSEC. > If you need more trust in DNSxL data retrieval, then sign up and pay for list access, and be able to retrieve the data using a secure and authenticated channel. Asking list providers to DNSSEC-sign their zones would also be picked up a lot faster when you're a paying customer (but I think that practical/technical reasons would make this a hard nut to crack anyway). If you're afraid that someone spoofs/hijacks DNSxL results, then combine multiple DNSxL results into the decision using weighted queries in postscreen. Spoofing/hijacking multiple DNSBLs is a lot harder than a single one. Your insistence on DNSSEC for DNSxL data is unnecessary and uncalled for, IMHO. > > Is there a good DNSBL we can use? > > Let us check an IP that delivered spam. > <snip> > Perhaps a less known RNSBL would do? > > http://multirbl.valli.org/lookup/78-134-2-123.v4.ngi.it.html > > No, it does not. However, it does list the ip address for multiple lists, 9 at this moment (of which a few I would trust to use on my servers). > > In summary, the spammer's reputation is neither good nor bad. Just > like postfix, the filter would let the e-mail through. > Anyway, DNSxL usage is not about a single edge case, it's about the big numbers: if you're able to block 70% of incoming spam quickly using DNSBLs, it means you can spend more resources of the remaining 30%. Kind regards, Tom
