On 30/05/2022 06:44, Peter wrote:
We're now starting to see some IPv6 DNSRBLs (eg: bl.ipv6.spameatingmonkey.net).
It occurs to me that postscreen and postfix should only be sending IPv4 requests
to IPv4-specific DNSRBLs and IPv6 requests to IPv6-specific lists.
I brooded about this some years ago.
The best I came up with was to create two smtpd_restriction_classes - ipv6tests
and ipv4tests.
A CIDR based Access Control List ended with the catch-all entries
::/0 ipv6tests
0.0.0.0/0 ipv4tests
Previous entries in the ACL would allow favoured net-blocks to bypass the tests,
or disallow "bad" net-blocks altogether.
I didn't actually implement this for DNSRBLs, as it wouldn't have worked with
postscreen where all my DNSRBL tests are performed, but the principle has been
used successfully elsewhere.
Somewhere on one of my older machines is a script to probe DNSRBLs with the
RFC5782 test entries, to see which responded to IPv6 & IPv4 probes.
Hope this helps
Allen C
