On Tue, Oct 21, 2025 at 08:52:23AM +0200, Antonin Verrier via Postfix-users
wrote:
> Is there any way to reject mails from domains with useless MX records?
I assume you mean to say that *ALL* the MX records would have to be
"useless", or else at least some minimum count (say 5, if there are
at least 5 MX RRs). Otherise, having one or two neglected stale MX
records mixed in with other working records is sadly a mistake that
some senders may not notice. And on the other hand resolving the
A and AAAA records of every single MX record can be quite expensive,
without a concurrent DNS lookup service.
> I want to reject cases where the MX records themselves are syntactically
> valid, but the name they point to doesn't have any A or AAAA records.
I am sceptical that this is a particularly effective way to stop
unwanted email. You could always implement this in a "policy service"
that performs the requisite DNS lookups *concurrently*, while limiting
the number of lookups to ~10 MX hosts, chosen from those with the best
(lowest) preference, randomly within each preference value. Then
reject the message after the first 5 are found to not have addresses,
before any others are found to have them.
You can use Python's async tasks for the DNS lookups, or some other
language that lets you make DNS queries concurrently with only modest
pain.
For portability reasons, Postfix is stuck with libresolv and concurrent
DNS lookups are not used in smtpd(8). Without concurrency, chasing down
A and AAAA records of multiple MX hosts is a bit of a DoS vector.
--
Viktor. 🇺🇦 Слава Україні!
The DNSSEC/DANE survey (https://stats.dnssec-tools.org) each day
performs just over ~100 million DNS queries in 3 hours, resolving DS,
DNSKEY, MX and per-host A/AAAA/TLSA records of over 23 million domains,
while also in that time also making ~48K SMTP connections and STARTTLS
handshakes at each IP address of any MX hosts with DANE TLSA records.
The code is written in Haskell, not C, and does not use libresolv. Its
scan engine can have over 1000 concurrent DNS queries in flight. With
that sort of infrastructure, your checks would be more than viable, but
Postfix has to make do with C/unix APIs from the 1990's.
A policy service need not be constrained in the same way, pick a modern
language (Python, Rust, Haskell, ...) with decent concurrency and DNS
API support, and enjoy some 21st century computing comforts.
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
