On Wed, Jan 01, 2025 at 08:13:35PM -0500, Greg Klanderman via Postfix-users
wrote:
> I'm fine with allowing a little probing, especially if the host doing
> so has reverse DNS set up, which I assume you do. But I do not see
> any trace of 'dnssec-tools.org' in my logs; is that the domain you are
> using for the host(s) doing the probing?
The web page and survey engine are separate, the engine runs on
"dnssec-stats.ant.isi.edu". And you'd only see connections if
your MX host has DNSSEC-signed TLSA records for _25._tcp.
> I just noticed a single unknown host is connecting ~1000x per day,
> with fingerprint 'ehlo=1 auth=0/1 rset=1 quit=1 commands=3/4' so
> that's my first target.
If you take volume into account, you should be fine with "responsible"
survey engines. You could do some IPv4 aggregation at /26 or so and
IPv6 at roughly /48.
--
Viktor.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
