-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 15-11-14 00:00, Viktor Dukhovni wrote: > On Fri, Nov 14, 2014 at 10:58:08PM +0100, Tom Hendrikx wrote: > >> Nov 14 22:55:56 hostname postfix-out/smtp[11505]: Verified TLS >> connection established to mail.sys4.de[2001:1578:400:111::7]:25: >> TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits) Nov 14 >> 22:55:57 hostname postfix-out/smtp[11505]: 66FCB8049: >> to=<e...@sys4.de>, relay=mail.sys4.de[2001:1578:400:111::7]:25, >> delay=0.83, delays=0.16/0.05/0.17/0.45, dsn=2.1.5, >> status=deliverable (250 2.1.5 Ok) > > Do keep in mind that if your /etc/resolv.conf does in fact list > remote DNS caches, the reported security can be illusory. Run a > local unbound listening on 127.0.0.1, list only that in > /etc/resolv.conf, and don't let DHCP or other automation replace > this with some remote nameserver. >
As described, I run multiple VMs on a single piece of hardware. All the VMs on that hardware are under my control. I understand the implications of running a remote dns cache, but am comfortable in deciding on the risks. The repeated *very* pressing advices on this subject in earlier threads made me think that postfix enforced this setup in the first place, which proved to be an incorrect assumption. I'm glad I have more options to choose from. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJUZ1YxAAoJEJPfMZ19VO/1Pq0P/iQZN9oPLa0NIKLfloBE8YyH oLuAc/UApS01Xck7UxnvGPflm5KgZ5QKPsEcPpOu3RrRbqxEngEikoYcPqCxCQwn ENW/mFxya2KgMdPqJuqWMb++CZ96pwYaesJh6sPD2p3Z6X8lzYqxa+XFclg4UsmE hkS7Elj6/ptKhRdzJx9wWvBcT6X82HcPprnR4vbPyTBAuVOjkjR4+pkIoKadpMT/ dz6Ox7zyXTl1Nchys+BG9mH3uytrE9RgDHJwyAVY8A4XRiQDUXaH7nuMhz80Wnah d2LHpZEuYEWK5M652hVIzAacVPEBN1ofztIivU3xhfztt32/9am22AiOpXZtKEeh kcfYvLBH6doFOHbQC1wH3zhKRyKKyavV533rrkCYpCRhLnqeYlQVGZHoGFduvc1Y 7vm2UpobcRY0oIvJnrhDjg8mXoh3FtLNg+BzCbe+t3KdJB+d6KKjhAuviIwTmgaB yPiUHVq5MnTsVxDkX4TwXc/JBTv5hvhV5wUmuFzj7UOzHVT8FLfHb0S6GjL2E3Vu xQXtqlaFTJDruckjeigtTVs/nDNUwYjGFwDf1CjUX//Rk9iA+8n+S1uEwO83R1H7 xFt5ssc8BWEBQUKlVLO+X0lCSGV4onnRa+jOSYSi1hU1janz0Zie8yK/b0VqGFoQ EFJdewyDknOWyRgX+X67 =MRSY -----END PGP SIGNATURE-----
