Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Disabling reverse-dns lookups for smtpd on connect

601 views
Skip to first unread message

Adrian Ulrich

unread,
Mar 10, 2005, 3:52:05 PM3/10/05
to
Hi,

What bothers me about postfix is that it
does a reverse-dns lookup for each new connection.

I think it's useless to do this dns query if i do not
use reject_unknown_client (Well.. it looks nice in the logfile.. ;-) )

I Googled and googled.. and googled. but couldn't find a solution..

Finally, i ended up changing

>if ((aierr = sockaddr_to_hostname(sa, sa_len, &client_name,
> (MAI_SERVNAME_STR *) 0, 0)) !=0) {

..(from smtpd_peer.c) into

> if(1) {

(I know, this breaks reject_unknown_client.. anything else?)

Looks like it works fine.. no reverse lookups anymore..
But is this really the only way to stop postfix from
doing rdns lookups?

Anyone knows a better solution?

Thanks,
Adrian

Ralf Hildebrandt

unread,
Mar 10, 2005, 3:54:14 PM3/10/05
to
* Adrian Ulrich <pf...@blinkenlights.ch>:

> Hi,
>
> What bothers me about postfix is that it
> does a reverse-dns lookup for each new connection.
>
> I think it's useless to do this dns query if i do not
> use reject_unknown_client (Well.. it looks nice in the logfile.. ;-) )

and for check_client_access and for TLS and and and

> Anyone knows a better solution?

Where is the problem with the lookup?

--
Ralf Hildebrandt (Ralf.Hil...@charite.de) spam...@charite.de
http://www.arschkrebs.de/postfix/ Tel. +49 (0)30-450 570-155
"Fifty years of programming language research, and we end up with C++ ???"
- Richard A. O'Keefe.

Adrian Ulrich

unread,
Mar 10, 2005, 4:06:48 PM3/10/05
to
> and for check_client_access and for TLS and and and

ok, ok..


> Where is the problem with the lookup?

- It slows down busy MX's running postfix.

- Creates unneeded load on the DNS Servers

- Think about an smtp-to-sms gateway running postfix..
(Used for Monitoring Alerts)
What happens if your Monitoring would like to tell you
that one of your DNS-Servers is down?
The connect to the gateway would take ages .. (ehr.. seconds)
because postfix can't do a rdns (-> DNS down).

Maybe the stupid smtp-client would timeout and nobody would
get the alert..


-- Adrian


Leeman Strout

unread,
Mar 10, 2005, 4:11:58 PM3/10/05
to

So why not run a robust DNS solution? I run an amazing 30 user postfix
server and have a seperate caching DNS server just for the mail server.
It's not that hard to setup.


Leeman

Adrian Ulrich

unread,
Mar 10, 2005, 4:19:00 PM3/10/05
to
> So why not run a robust DNS solution? I run an amazing 30 user
> postfix server and have a seperate caching DNS server just for the
> mail server.
> It's not that hard to setup.

Well.. we've got much more than 30 users here ;-)

We are running a bunch of dnscache servers.. of course:
The 2nd reverse lookup wouldn't be slow anymore..

But i don't see why i should waste CPU & Network ressources to get
some unneeded information in the logfile..


(We are currently not running postfix.. but it would be an option to
switch...)

-- Adrian

Wietse Venema

unread,
Mar 10, 2005, 4:26:16 PM3/10/05
to
Adrian Ulrich:

You can edit source code.

You can even set up a bogus in-addr.arpa. DNS zone to get rid of
reverse lookups (that's what I do on critical servers that must not
be compromised in the event of a bug in system library routines).

Making this configurable would make Postfix too difficult to use.
I refuse to document warnings for all the features that stop working
because no-one would read it anyway.

Wietse

Victor Duchovni

unread,
Mar 10, 2005, 5:11:53 PM3/10/05
to
On Thu, Mar 10, 2005 at 09:53:54PM +0100, Ralf Hildebrandt wrote:

> * Adrian Ulrich <pf...@blinkenlights.ch>:
> > Hi,
> >
> > What bothers me about postfix is that it
> > does a reverse-dns lookup for each new connection.
> >
> > I think it's useless to do this dns query if i do not
> > use reject_unknown_client (Well.. it looks nice in the logfile.. ;-) )
>

> and for check_client_access and for TLS and and and
>

The OP does not wish to use the client's domain name for selective blocking.
This is his choice. TLS does not depend on reverse lookups.

> > Anyone knows a better solution?
>

> Where is the problem with the lookup?
>

High latency raises concurrency, and makes the system more fragile under high
load. Mostly this is not a problem in practice, but if the OP wants to turn
off rDNS, there is no harm.

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majo...@postfix.org?body=unsubscribe%20postfix-users>

Ralf Hildebrandt

unread,
Mar 10, 2005, 5:15:03 PM3/10/05
to
* Victor Duchovni <Victor....@MorganStanley.com>:

> This is his choice. TLS does not depend on reverse lookups.

That cannot be correct. Postfix needs to get the peer's name to find
out if it matches the certificate. I would guess this involves a
reverse lookup at least.

Victor Duchovni

unread,
Mar 10, 2005, 5:58:32 PM3/10/05
to
On Thu, Mar 10, 2005 at 11:14:35PM +0100, Ralf Hildebrandt wrote:

> * Victor Duchovni <Victor....@MorganStanley.com>:
>
> > This is his choice. TLS does not depend on reverse lookups.
>
> That cannot be correct. Postfix needs to get the peer's name to find
> out if it matches the certificate. I would guess this involves a
> reverse lookup at least.
>

No. There is no peer verification for clients, and in any case DNS
is not cryptographiscally secure, so such lookups could not b
trusted.

0 new messages