[RPZ] RPZ and MX
john at iastate.edu
Fri Jun 1 16:29:54 UTC 2012
Vernon Schryver <vjs at rhyolite.com> writes:
> Say MX records were not affected by RPZ--then what? Aren't MX
> records almost always used to look up A records that are usually
> related (obviously or not) to the MX qname? If MX records were
> excempted, wouldn't the RPZ blacklisting for HTML make most such
> MX records point to SMTP servers in that walled garden?
This is a really good point. In the particular case in front of me,
no, the MX records for the domain in question point to an external
mail provider, but I can see how this is probably not the usual case.
> Are hosts running HTML clients (browsers) that might be redirected to
> a walled garden likely to legitimately use any MX records other than
> those for a nearby mail submission agent (MSA)? Should vulernable
> personal computers be sending mail outside the organization via the
> organization's mail system and so the organization's outgoing filters
> to ensure that they are not sending spam, perhaps after a botnet
> infection? If so, the MX (and other) records for the organization
> could be exempted from RZP rewriting and they'd never notice that
> blacklisted MX records get changed by RPZ into walled garden CNAMEs.
Actually, in our case our central mail servers are using the
main (RPZ-filtered) DNS servers. I will converse with the mail
team to see if the right approach is to point them at an
unfiltered DNS server. Thanks.
More information about the DNSfirewalls