[RPZ] RPZ and MX

John Hascall john at iastate.edu
Fri Jun 1 16:29:54 UTC 2012

Vernon Schryver <vjs at rhyolite.com> writes:
> Say MX records were not affected by RPZ--then what?  Aren't MX
> records almost always used to look up A records that are usually
> related (obviously or not) to the MX qname?  If MX records were
> excempted, wouldn't the RPZ blacklisting for HTML make most such
> MX records point to SMTP servers in that walled garden?

This is a really good point.  In the particular case in front of me,
no, the MX records for the domain in question point to an external
mail provider, but I can see how this is probably not the usual case.

> Are hosts running HTML clients (browsers) that might be redirected to
> a walled garden likely to legitimately use any MX records other than
> those for a nearby mail submission agent (MSA)?  Should vulernable
> personal computers be sending mail outside the organization via the
> organization's mail system and so the organization's outgoing filters
> to ensure that they are not sending spam, perhaps after a botnet
> infection?  If so, the MX (and other) records for the organization
> could be exempted from RZP rewriting and they'd never notice that
> blacklisted MX records get changed by RPZ into walled garden CNAMEs.

Actually, in our case our central mail servers are using the
main (RPZ-filtered) DNS servers.  I will converse with the mail
team to see if the right approach is to point them at an
unfiltered DNS server.  Thanks.


More information about the DNSfirewalls mailing list