[ On Monday, July 2, 2001 at 13:19:46 (-0400), John wrote: ]
> Subject: reverse lookups without foward lookups
>
> I have a (hopefully) quick question: For ips that resolve to a
> hostname that doesn't resolve back to them (ie, 192.168.0.15 is
> trusted.postfix.org, but trusted.postfix.org is not 192.168.0.15),
> what is the access restriction that would block these ips?

I'm not quite sure yet how to do that in postfix, though there may well
already be a way. I've done it in the past with TCP Wrappers, and now
with new custom code I wrote in Smail that generates a very explicit
reject message.

It is, after all the right thing to do. Any such discrepancy in the DNS
is programmatically indistinguishable from a DNS spoofing attack.

> Another question, would it be a good idea/bad idea to implement
> this in a isp environment?

Been there, done that, and it's still working! There are indeed a few
really ignorant sysadmins out there who don't have a clue and refuse to
accept one even when it's handed to them on a silver platter (and of
course a clue-by-4 usually has no effect on the worst of them, other
than to make them retaliate). Luckily most of the admins out there who
have systems suffering from such mis-configuration are very grateful
that we've pointed out their problems. Some expect excessive amount of
support from us. Some of them still want an instant fix and don't seem
to realise that change is never "instant" in the DNS (and some have been
rather silly at setting extremely long TTLs, eg. two weeks in one case! ;-).

-- 
							Greg A. Woods
+1 416 218-0098      VE3TCP      <gwoodsacm.org>     <woodsrobohack.ca>
Planix, Inc. <woodsplanix.com>;   Secrets of the Weird <woodsweird.com>
-
To unsubscribe, send mail to majordomopostfix.org with content
(not subject): unsubscribe postfix-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]