On Thu, Feb 16, 2012 at 03:20:30PM -0500, Michael Orlitzky wrote: > On 02/16/2012 12:13 PM, Dipl.-Ing. Juergen Ladstaetter wrote: > > > >yet. Is there any way to configure postfix to always make MX > >record DNS lookups, or is the only way through a second postfix > >instance that has no localdomains specified? > > Even with two instances you could have problems. > > For example, your users might have aliases that get expanded on the > incoming instance, where the maps are controlled by customers. If > one of your customers sets up example.com, and has u...@example.com > aliased to u...@example.net hosted elsewhere, they could be open to > another customer stealing the example.net mail.
If there is a way to force all alias expansion to go through the "clean" instance, this might work. Only thing I can think of is to append a domain component to all such names as used in aliasing, stripping it off on the way out. Then if it's valid, the "clean" relayhost would pass it right back. u...@example.com u...@example.net.Juergen Maybe either generic(5) maps on the "dirty" instance, or canonical(5) on the "clean" one, could strip this out and send it properly. > One instance per customer is /probably/ safe, but I wouldn't swear > to it without some more thought. At least in that case they'd only have themselves to blame. :) I would also consider periodic automated DNS checks which would disable any domain where DNS points elsewhere. (Or at least alert administrators to check on it.) -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: