On 3/04/19 01:16, Wietse Venema wrote:
> I prefer to remove the ability to disable safety mechanisms.
And in your initial response, you also wrote:
> Probably better to not allow a limit-less smtp_mx_address_limit,
> as it makes Postfix vulnerable to resource exhaustion attack.
Both responses seem to translate to "I prefer to remove the ability to
set smtp_mx_address_limit to zero".
As I said, that's fine with me.
My only comment is that this won't bring you much.
As you indicate yourself, people would still have the ability to
effectively disable the safety mechanism (by setting
smtp_mx_address_limit to one bazillion or so).
The only difference is that, if they really want to get rid of the
limit, they would (have to) disable it in an undocumented way.
So, given that you can't prevent people from shooting themselves in the
foot anyway, it seems more logical to let them do it in the (currently)
documented way.
This being said, I personally don't really care whether the ability to
set smtp_mx_address_limit to zero is fixed or removed, but something has
to be done.
As it stands now, people can still set it to zero ...
>
> ... and watch their mail queues melt down.
>
... because of all the mail that will get stuck in the queue with
"server unavailable or unable to receive mail" for _any_ MX that has
_both_ A and AAAA records.
One of each is enough to trigger the bug, even if they would all respond
if Postfix bothered to try. But it doesn't. It simply defers the mail
until it eventually expires and bounces.
Anyway, I have reported the issue and am happy to leave it at that.
Luc
