Re: Reject based on sender MX dns lookup?

Mon, 04 Oct 2021 07:04:30 -0700 

On Mon, Oct 04, 2021 at 09:25:51AM -0400, Wietse Venema wrote:

> /etc/postfix/main.cf:
>     smtpd_dns_reply_filter = pcre:/etc/postfix/numeric-mx.pcre
> 
> /etc/postfix/numeric-mx.pcre:
>     # /domain. ttl IN MX pref address/ action, all case-insensitive.
>     /^\S+\s+\S+\s+\S+\s+MX\s+\d+\s+[a-f0-9.:]+$/ IGNORE

That regular expression would reject domains like "badf00d.de", though
that particular one has an extract non-hex label for its MX host...

A better regular expression would reject 1 to 4 dotted all decimal
labels, or any name with zero or more hex digits followed by a ":".

    # /domain. ttl IN MX pref address/ action, all case-insensitive.
    /^\S+\s+\S+\s+\S+\s+MX\s+\d+\s+(?:(?:\d+[.]){1,4}$|[a-f0-9]*:)/ IGNORE

> Since the offending site has only one MX record, that should
> block their mail.

The IGNORE does not appear to cause "reject_unknown_sender_domain" to
fail:

     reject_unknown_mailhost: lacksoft.se
     lookup lacksoft.se type MX flags
     dns_query: lacksoft.se (MX): OK
     dns_query: reply len=59 ancount=1 nscount=0
     dns_get_answer: type MX for lacksoft.se
     warning: numeric domain name in resource data of MX record for 
lacksoft.se: 195.162.24.110
     dict_pcre_lookup: /etc/postfix/numeric-mx.pcre: lacksoft.se. 604 IN MX 10 
195.162.24.110.
     maps_find: smtpd_dns_reply_filter: 
pcre:/etc/postfix/numeric-mx.pcre(0,lock|fold_fix): lacksoft.se. 604 IN MX 10 
195.162.24.110. = IGNORE
     ignoring DNS RR: lacksoft.se. 604 IN MX 10 195.162.24.110.
     warning: lacksoft.se: MX or address lookup error: DNS reply filter drops 
all results
     generic_checks: name=reject_unknown_sender_domain status=0

> Postfix allows numeric MX names because long ago, people complained
> that it worked with other systems but not Postfix. Maybe it is time to
> deprecate that workaround.

Address-valued MX records IIRC appear to be more popular in Brazil than
elsewhere, there are likely still some domains getting away with this
malpractice.

Don't know how Gmail et. al. handle this.  You might be able to find
out.  If a receiving system the size of Gmail rejects this, then Postfix
can probably do likewise.

-- 
    Viktor.

Reply via email to