Re: Using a different DNS to ask zen.spamhaus.org for DNSBL info?

Thu, 21 Oct 2021 15:39:29 -0700 

----- Message from Wietse Venema <wie...@porcupine.org> ---------
    Date: Thu, 21 Oct 2021 08:35:20 -0400 (EDT)
    From: Wietse Venema <wie...@porcupine.org>
Reply-To: Postfix users <postfix-users@postfix.org>
 Subject: Re: Using a different DNS to ask zen.spamhaus.org for DNSBL info?
      To: Postfix users <postfix-users@postfix.org>



Gerben Wierda:
My standard DNS forwards to cloud9 (9.9.9.9) because cloud9 blocks bad actors. But that means that DNSBL from spamhaus doesn?t work as the query to comes from a public DNS server. 

I am using:
# Drop any SMTP client that talks before its turn (spam botnets in a hurry)
postscreen_greet_action = drop
# Drop any SMTP client that is in the DNSBL
postscreen_dnsbl_sites = zen.spamhaus.org*2
postscreen_dnsbl_action = drop

I have a secondary resolver that doesn?t forward to cloud9. Can I
use that local DNS instead of the standard one in postfix, preferably
for postscreen DNSBL only?


Postfix does not choose its DNS resolvers. Instead, Postfix uses
the libresolv system library. Historically, that library has no API
to specify resolver IP address(es), and it is unlikely that Postfix
will implement its own libresolv functionality.

On the wishlist is to have a Postfix resolver *plugin* API, like
Postfix has the XSASL API for different SASL backends (Cyrus,
Dovecot). Then, Postfix could call into alternative resolver
libraries.

Meanwhile could you dnsmasq et al. to manage how queries are routed?

        Wietse



----- End message from Wietse Venema <wie...@porcupine.org> -----
I asked a similar question to this list a while ago. I use BIND with a very tight RPZ setup to assist with risk management for our local network, but wanted to have Postfix have completely open DNS - Wietse advised then as he has now that Postfix uses libresolv.
I have now setup Unbound as a caching name server on the Postfix server so it can resolve *anything*, but with Unbound configured to fwd to my local network BIND server for local domain addresses (private-address, private-domain, local-zone, stub-zone, etc.). End result is that Postfix can resolve any valid address but can still identify all of the local network, including some local zone RPZ overrides that I have. 

Simon.

--
Simon Wilson
M: 0400 12 11 16

Reply via email to