Thank you both very much. That input was very good and I might rethink the strategy we're aiming at. Probably active DNS checks and periodic re-checks are better to ensure some security. Thanks guys
-----Ursprüngliche Nachricht----- Von: owner-postfix-us...@postfix.org [mailto:owner-postfix-us...@postfix.org] Im Auftrag von /dev/rob0 Gesendet: Thursday, February 16, 2012 3:38 PM An: postfix-users@postfix.org Betreff: Re: forcing MX lookups On Thu, Feb 16, 2012 at 03:20:30PM -0500, Michael Orlitzky wrote: > On 02/16/2012 12:13 PM, Dipl.-Ing. Juergen Ladstaetter wrote: > > > >yet. Is there any way to configure postfix to always make MX record > >DNS lookups, or is the only way through a second postfix instance > >that has no localdomains specified? > > Even with two instances you could have problems. > > For example, your users might have aliases that get expanded on the > incoming instance, where the maps are controlled by customers. If one > of your customers sets up example.com, and has u...@example.com > aliased to u...@example.net hosted elsewhere, they could be open to > another customer stealing the example.net mail. If there is a way to force all alias expansion to go through the "clean" instance, this might work. Only thing I can think of is to append a domain component to all such names as used in aliasing, stripping it off on the way out. Then if it's valid, the "clean" relayhost would pass it right back. u...@example.com u...@example.net.Juergen Maybe either generic(5) maps on the "dirty" instance, or canonical(5) on the "clean" one, could strip this out and send it properly. > One instance per customer is /probably/ safe, but I wouldn't swear to > it without some more thought. At least in that case they'd only have themselves to blame. :) I would also consider periodic automated DNS checks which would disable any domain where DNS points elsewhere. (Or at least alert administrators to check on it.) -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: