On Sun, Feb 8, 2009 at 1:35 PM, Victor Duchovni <victor.ducho...@morganstanley.com> wrote: > On Sun, Feb 08, 2009 at 01:23:43PM +0800, jan gestre wrote: > >> > Don't use ISP DNS servers that fabricate A records. >> > >> >> I'm not using our ISP's DNS , I'm using OpenDNS, I'm using OpenDNS >> since way back it's only now that I'm getting this strange behavior in >> my SMTP server. > > You should not use OpenDNS or any similar external DNS forwarder with > Postfix. Especially, when doing RBL lookups. Just run a stand-alone DNS > cache on your system (127.0.0.1). If you are behind a NAT device that > de-randomizes UDP query ports, you are likely vulnerable to the Kaminsky > attack... Running a SOHO incoming mail server is getting increasingly > difficult, you may need a real SMTP server at a hosting facility. >
Postfix is behind a NAT device (pfSense) that does dnsmasq (dns forwarder), no machine is allowed to connect to port 53 except the NAT device. The initial configuration is NAT Firewall > Untangle in bridge mode > postfix, but since telnet to postfix's smtp port produces an odd result when it's behind the Untangle box so I took Untangle out.
