To:
Stephane Bortzmeyer <bortzmeyer@nic.fr>
Cc:
Robert Elz <kre@munnari.OZ.AU>, Brad Knowles <brad.knowles@skynet.be>, Edward Lewis <edlewis@arin.net>, Bill Manning <bmanning@ISI.EDU>, dnsop@cafax.se
From:
Brad Knowles <brad.knowles@skynet.be>
Date:
Mon, 14 Oct 2002 23:26:45 +0200
In-Reply-To:
<20021014105333.GA8679@nic.fr>
Reply-By:
Wed, 1 Jan 1984 12:34:56 +0100
Sender:
owner-dnsop@cafax.se
Subject:
Re: the call for bind software
At 12:53 PM +0200 2002/10/14, Stephane Bortzmeyer wrote:
>> | Of course, you can always add or over-ride network definitions.
>>
>> That is, you have to explicitly configure what's local. That's
>> unmaintainable,
>
> Postfix does it for a long time (scanning interfaces to see who's
> allowed to relay but allowing you to override its discoveries) and it
> seems all Postfix administrators are happy with it.
Not everyone. I was one of the people pretty unhappy with the
way postfix did it, since Wietse enforced Class A/B/C distinctions on
the networks, and did not inspect the netmask on the interface. This
meant that if you had a /28 out of a /24 in the normal Class C space,
you would default to acting as an open relay for everyone else that
was in that /24 but not inside your /28.
I suggest that we take that next step and inspect the netmask,
and restrict what we consider "local" on that basis. We might be
forced to open that restriction open, but that could be easily
manually configured.
--
Brad Knowles, <brad.knowles@skynet.be>
"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
-Benjamin Franklin, Historical Review of Pennsylvania.
GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E W+++(--) N+ !w---
O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)
#----------------------------------------------------------------------
# To unsubscripbe, send a message to <dnsop-request@cafax.se>.