On Tue, Oct 21, 2025 at 10:35:25AM -0400, Wietse Venema via Postfix-users wrote:
> Additionally, the Postfix DNS library enforces a response size limit
> of 100 records, which limits the effort that the SMTP server will
> spend on check_xxx_{a,mx,ns}_access and reject_unknown_xxx_domain.
The risk here is much higher, because unlike check_xxx_{a,mx,ns}_access
the lookups per record would be in remote DNS zones which can (by
hostile party) be made quite expensive. A DNS client may spend O(10s)
per lookup on O(100) MX RRs, which is a much too easy DoS.
The worst-case behaviour here would be quite severe. So code to
implement this does need to both cap the number of lookups, and ideally
run the limited number chosen concurrently!
--
Viktor. 🇺🇦 Слава Україні!
_______________________________________________
Postfix-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
