On 11/25/2014 8:06 AM, Viktor Dukhovni wrote:
On Mon, Nov 24, 2014 at 01:38:15PM -0500, Wietse Venema wrote:/etc/postfix/smtp_dns_reply_filter: # /domain ttl IN AAAA address/ action, all case-insensitive. # Note: the domain name ends in ".". /^\S+\.google.com\.\s+\S+\s+\S+\s+AAAA\s+/ IGNORE The implementation renders a DNS record as a string in the format that we know from dig(1) and other tools, then matches that string against a list of lookup tables. Currently, IGNORE is the only implemented action. It removes the record from the DNS lookup result. When all DNS lookup result reply records are deleted, it returns a DNS_NOTFOUND status plus a diagnostic text with "All records suppressed by policy filter".There might be cases in which "DNS_NOTFOUND" should be replaced with "DNS_FAIL" if as a result the RRset becomes empty. For example, if a domain has MX records, but we drop them all, it may not be appropriate to then use the A/AAAA records. Rather, it seems that such a domain is unreachable. So the "IGNORE" could be augmented by: IGNORE_FAIL_IF_EMPTY
I can definitely see the utility of that. I think in production I would want "defer if empty" with logging stating that the set of A/AAAA nexthops is empty after filtering. That way I'm not bouncing email on what could, ironically, be a transient DNS issue.
