On 26 Feb 2014, at 07:46, Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Wed, Feb 26, 2014 at 07:43:25AM +0100, Erwan David wrote: > >>> The local resolver can have the resolvers on the LAN configured as >>> forwarders, but you need the local stub resolver. No reason not to have >>> one, really, especially on a busy mail server. >> >> However your "local" resolver could be in another jail/zone/container >> (depending on your OS) with another IP address and not the loopback. >> >> You could also have an IPSEC link to your resolver to get you trust >> you use the right one. This 127.0.0.1 (or ::1) is in my sense too >> restrictive, but you need a trusted link between your postfix and your >> resolver. > > Yes, of course. In practice, for most users, the local resolver > is by far the simplest configuration. And therefore the most reliable and predictable in the vast majority of cases, because it is not dependent on ifs and buts. It also has the smallest attack surface, and is most likely to survive any 'changing of the guards' over the lifetime of a setup. Restrictive is a Good Thing, IMO; there's already much of the stack that is viewed as open for interpretation because people think they know better, or because someone's edge case was interpreted as applicable to everything. So please, let's stick with the clear-cut, restrictive advice; it's what a lot of people will be digging up from the archives for years to come, as DNSSEC and DANE go mainstream :-) Mvg, Joni
