On 16-02-12 23:52, Dipl.-Ing. Juergen Ladstaetter wrote: > Thank you both very much. That input was very good and I might rethink the > strategy we're aiming at. Probably active DNS checks and periodic re-checks > are better to ensure some security. Thanks guys >
Checking DNS at input time would still suffice. You simply require that domains entered have their MXen pointing to a predefined set of hosts (your cluster). They might change their own MX records later on (which will only harm the customer), but ibm.com will never point to your MXen to your cluster, so no customer can ever enter it. As long as you don't allow changing the domain itself without a re-check, no customer will ever be able to configure a domain that has MX records not controlled by that same customer. Shops that do hosted exchange etc (google, outlook.com) ask you to (temporarily) add some unique key/identifier to your DNS zone on order to prove that you actually own the zone (and the MX records). Same principle, but a bit more work for the customer. > > -----Ursprüngliche Nachricht----- > Von: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] Im Auftrag von /dev/rob0 > Gesendet: Thursday, February 16, 2012 3:38 PM > An: postfix-users@postfix.org > Betreff: Re: forcing MX lookups > > On Thu, Feb 16, 2012 at 03:20:30PM -0500, Michael Orlitzky wrote: >> On 02/16/2012 12:13 PM, Dipl.-Ing. Juergen Ladstaetter wrote: >>> >>> yet. Is there any way to configure postfix to always make MX record >>> DNS lookups, or is the only way through a second postfix instance >>> that has no localdomains specified? >> >> Even with two instances you could have problems. >> >> For example, your users might have aliases that get expanded on the >> incoming instance, where the maps are controlled by customers. If one >> of your customers sets up example.com, and has u...@example.com >> aliased to u...@example.net hosted elsewhere, they could be open to >> another customer stealing the example.net mail. > > If there is a way to force all alias expansion to go through the "clean" > instance, this might work. Only thing I can think of is to append a domain > component to all such names as used in aliasing, stripping it off on the way > out. Then if it's valid, the "clean" > relayhost would pass it right back. > > u...@example.com u...@example.net.Juergen > > Maybe either generic(5) maps on the "dirty" instance, or canonical(5) on the > "clean" one, could strip this out and send it properly. > >> One instance per customer is /probably/ safe, but I wouldn't swear to >> it without some more thought. > > At least in that case they'd only have themselves to blame. :) > > I would also consider periodic automated DNS checks which would disable any > domain where DNS points elsewhere. (Or at least alert administrators to > check on it.) > -- > http://rob0.nodns4.us/ -- system administration and consulting > Offlist GMX mail is seen only if "/dev/rob0" is in the Subject: >
