numeric domain name in resource data of MX record

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

numeric domain name in resource data of MX record

Zbigniew Szalbot-9
Hello,

Just curious and in need of your advice:

May 28 07:17:06 relay postfix/smtp[69196]: warning: numeric domain name
in resource data of MX record for coral-mensaje.com: 127.0.1.50
May 28 07:17:06 relay postfix/smtp[69196]: connect to
127.0.1.50[127.0.1.50]:25: Operation not permitted
May 28 07:17:06 relay postfix/smtp[69196]: F2408C946E:
to=<[hidden email]>, relay=none, delay=15343,
delays=15343/0.02/0/0, dsn=4.4.1, status=deferred (connect to
127.0.1.50[127.0.1.50]:25: Operation not permitted)

But when I do
$ dig coral-mensaje.com

; <<>> DiG 9.3.4-P1 <<>> coral-mensaje.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6345
;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 4, ADDITIONAL: 1

;; QUESTION SECTION:
;coral-mensaje.com.             IN      A

;; ANSWER SECTION:
coral-mensaje.com.      1800    IN      A       66.150.161.133
coral-mensaje.com.      1800    IN      A       66.150.161.136
coral-mensaje.com.      1800    IN      A       66.150.161.140
coral-mensaje.com.      1800    IN      A       66.150.161.141
coral-mensaje.com.      1800    IN      A       69.25.27.170
coral-mensaje.com.      1800    IN      A       69.25.27.171
coral-mensaje.com.      1800    IN      A       69.25.27.172
coral-mensaje.com.      1800    IN      A       69.25.27.173

;; AUTHORITY SECTION:
coral-mensaje.com.      81661   IN      NS      ns4.nameresolve.com.
coral-mensaje.com.      81661   IN      NS      ns1.nameresolve.com.
coral-mensaje.com.      81661   IN      NS      ns2.nameresolve.com.
coral-mensaje.com.      81661   IN      NS      ns3.nameresolve.com.

;; ADDITIONAL SECTION:
ns4.nameresolve.com.    84221   IN      A       216.52.121.240

;; Query time: 134 msec
;; SERVER: 62.121.128.50#53(62.121.128.50)
;; WHEN: Wed May 28 07:26:06 2008
;; MSG SIZE  rcvd: 263

However,
$ dig coral-mensaje.com MX

; <<>> DiG 9.3.4-P1 <<>> coral-mensaje.com MX
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22988
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1

;; QUESTION SECTION:
;coral-mensaje.com.             IN      MX

;; ANSWER SECTION:
coral-mensaje.com.      81426   IN      MX      0 127.0.1.50.

;; AUTHORITY SECTION:
coral-mensaje.com.      81426   IN      NS      ns3.nameresolve.com.
coral-mensaje.com.      81426   IN      NS      ns4.nameresolve.com.
coral-mensaje.com.      81426   IN      NS      ns1.nameresolve.com.
coral-mensaje.com.      81426   IN      NS      ns2.nameresolve.com.

;; ADDITIONAL SECTION:
ns4.nameresolve.com.    83986   IN      A       216.52.121.240

;; Query time: 31 msec
;; SERVER: 62.121.128.50#53(62.121.128.50)
;; WHEN: Wed May 28 07:30:01 2008
;; MSG SIZE  rcvd: 161

Does it mean that DNS for this domain is incorrectly configured?

Thank you in advance for all advice!

--
Zbigniew Szalbot
www.lc-words.com
Reply | Threaded
Open this post in threaded view
|

Re: numeric domain name in resource data of MX record

Steven King-6
The MX record on the domain is set to an IP address. This violates the
RFC for DNS RRsets. You need to create an A record for that IP address
and point the MX record to that A record. This will solve your problem.
If you do not have control over this domain, the domain administrators
need to learn how to set things up properly.

Zbigniew Szalbot wrote:

> Hello,
>
> Just curious and in need of your advice:
>
> May 28 07:17:06 relay postfix/smtp[69196]: warning: numeric domain
> name in resource data of MX record for coral-mensaje.com: 127.0.1.50
> May 28 07:17:06 relay postfix/smtp[69196]: connect to
> 127.0.1.50[127.0.1.50]:25: Operation not permitted
> May 28 07:17:06 relay postfix/smtp[69196]: F2408C946E:
> to=<[hidden email]>, relay=none, delay=15343,
> delays=15343/0.02/0/0, dsn=4.4.1, status=deferred (connect to
> 127.0.1.50[127.0.1.50]:25: Operation not permitted)
>
> But when I do
> $ dig coral-mensaje.com
>
> ; <<>> DiG 9.3.4-P1 <<>> coral-mensaje.com
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6345
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 4, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;coral-mensaje.com.             IN      A
>
> ;; ANSWER SECTION:
> coral-mensaje.com.      1800    IN      A       66.150.161.133
> coral-mensaje.com.      1800    IN      A       66.150.161.136
> coral-mensaje.com.      1800    IN      A       66.150.161.140
> coral-mensaje.com.      1800    IN      A       66.150.161.141
> coral-mensaje.com.      1800    IN      A       69.25.27.170
> coral-mensaje.com.      1800    IN      A       69.25.27.171
> coral-mensaje.com.      1800    IN      A       69.25.27.172
> coral-mensaje.com.      1800    IN      A       69.25.27.173
>
> ;; AUTHORITY SECTION:
> coral-mensaje.com.      81661   IN      NS      ns4.nameresolve.com.
> coral-mensaje.com.      81661   IN      NS      ns1.nameresolve.com.
> coral-mensaje.com.      81661   IN      NS      ns2.nameresolve.com.
> coral-mensaje.com.      81661   IN      NS      ns3.nameresolve.com.
>
> ;; ADDITIONAL SECTION:
> ns4.nameresolve.com.    84221   IN      A       216.52.121.240
>
> ;; Query time: 134 msec
> ;; SERVER: 62.121.128.50#53(62.121.128.50)
> ;; WHEN: Wed May 28 07:26:06 2008
> ;; MSG SIZE  rcvd: 263
>
> However,
> $ dig coral-mensaje.com MX
>
> ; <<>> DiG 9.3.4-P1 <<>> coral-mensaje.com MX
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22988
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 1
>
> ;; QUESTION SECTION:
> ;coral-mensaje.com.             IN      MX
>
> ;; ANSWER SECTION:
> coral-mensaje.com.      81426   IN      MX      0 127.0.1.50.
>
> ;; AUTHORITY SECTION:
> coral-mensaje.com.      81426   IN      NS      ns3.nameresolve.com.
> coral-mensaje.com.      81426   IN      NS      ns4.nameresolve.com.
> coral-mensaje.com.      81426   IN      NS      ns1.nameresolve.com.
> coral-mensaje.com.      81426   IN      NS      ns2.nameresolve.com.
>
> ;; ADDITIONAL SECTION:
> ns4.nameresolve.com.    83986   IN      A       216.52.121.240
>
> ;; Query time: 31 msec
> ;; SERVER: 62.121.128.50#53(62.121.128.50)
> ;; WHEN: Wed May 28 07:30:01 2008
> ;; MSG SIZE  rcvd: 161
>
> Does it mean that DNS for this domain is incorrectly configured?
>
> Thank you in advance for all advice!
>

--
Steve King

Senior Linux Administrator - Liquid Web, Inc.
CompTIA Linux+ Certified Professional
CompTIA Network+ Certified Professional
CompTIA A+ Certified Professional

Reply | Threaded
Open this post in threaded view
|

Re: numeric domain name in resource data of MX record

Ralf Hildebrandt
In reply to this post by Zbigniew Szalbot-9
* Zbigniew Szalbot <[hidden email]>:
> Hello,
>
> Just curious and in need of your advice:
>
> May 28 07:17:06 relay postfix/smtp[69196]: warning: numeric domain name  
> in resource data of MX record for coral-mensaje.com: 127.0.1.50

Blacklisted now.

--
Ralf Hildebrandt ([hidden email])          [hidden email]
Postfix - Einrichtung, Betrieb und Wartung       Tel. +49 (0)30-450 570-155
http://www.arschkrebs.de
"Some books contain the machinery required to create and sustain
universes."                           -- Tycho, at Penny Arcade
Reply | Threaded
Open this post in threaded view
|

Re: numeric domain name in resource data of MX record

Steven King-6
Also, check the IP. the 127/8 range is private. It is not publicly
accessible or route able.

Ralf Hildebrandt wrote:

> * Zbigniew Szalbot <[hidden email]>:
>  
>> Hello,
>>
>> Just curious and in need of your advice:
>>
>> May 28 07:17:06 relay postfix/smtp[69196]: warning: numeric domain name  
>> in resource data of MX record for coral-mensaje.com: 127.0.1.50
>>    
>
> Blacklisted now.
>
>  

--
Steve King

Senior Linux Administrator - Liquid Web, Inc.
CompTIA Linux+ Certified Professional
CompTIA Network+ Certified Professional
CompTIA A+ Certified Professional

Reply | Threaded
Open this post in threaded view
|

Re: numeric domain name in resource data of MX record

d.hill
On Wed, 28 May 2008 03:04:59 -0400
  Steven King <[hidden email]> wrote:
>Also, check the IP. the 127/8 range is private. It is not
>publicly
>accessible or route able.

Just as previously mentioned, if a sender's MX is in
private IP space,
your response would not reach them. Therefore, I have in
main.cf:

smtpd_sender_restrictions =
    ...
    check_sender_mx_access
cidr:/usr/local/etc/postfix/sender_mx_access,
    ...

sender_mx_access:

127.0.0.0/8 REJECT MX in loopback network
10.0.0.0/8 REJECT MX in non-routable network
169.254.0.0/16 REJECT MX in non-routable network
172.16.0.0/12 REJECT MX in non-routable network
192.168.0.0/16 REJECT MX in non-routable network

>Ralf Hildebrandt wrote:
>> * Zbigniew Szalbot <[hidden email]>:
>>  
>>> Hello,
>>>
>>> Just curious and in need of your advice:
>>>
>>> May 28 07:17:06 relay postfix/smtp[69196]: warning:
>>>numeric domain name  
>>> in resource data of MX record for coral-mensaje.com:
>>>127.0.1.50
>>>    
>>
>> Blacklisted now.
Reply | Threaded
Open this post in threaded view
|

Re: numeric domain name in resource data of MX record

mouss-2
[hidden email] wrote:
> On Wed, 28 May 2008 03:04:59 -0400
>  Steven King <[hidden email]> wrote:
>> Also, check the IP. the 127/8 range is private. It is not publicly
>> accessible or route able.
>
> Just as previously mentioned, if a sender's MX is in private IP space,
> your response would not reach them.

There are also security implications: you don't want a "stranger" to
make one of your mail servers connect to one of your private servers
(reply, dsn, bounce, ... etc).


> Therefore, I have in main.cf:
>
> smtpd_sender_restrictions =
>    ...
>    check_sender_mx_access cidr:/usr/local/etc/postfix/sender_mx_access,
>    ...
>
> sender_mx_access:
>
> 127.0.0.0/8 REJECT MX in loopback network
> 10.0.0.0/8 REJECT MX in non-routable network
> 169.254.0.0/16 REJECT MX in non-routable network
> 172.16.0.0/12 REJECT MX in non-routable network
> 192.168.0.0/16 REJECT MX in non-routable network

you can add
0.0.0.0/7
224.0.0.0/4
192.0.2.0/24  
...
and maybe more bogons
    http://www.cymru.com/Documents/bogon-bn-agg.txt

Note that this may cause "FPs" because some sites put fake MX entries:
$ host -t mx ahbl.org
ahbl.org mail is handled by 0 mail.sosdg.org.
ahbl.org mail is handled by 10 this.is.a.fake.smtp.server.sosdg.org.
$ host  this.is.a.fake.smtp.server.sosdg.org
this.is.a.fake.smtp.server.sosdg.org has address 192.0.2.1
this.is.a.fake.smtp.server.sosdg.org has address 192.0.2.2
this.is.a.fake.smtp.server.sosdg.org has address 192.0.2.3

but I guess you can either ignore these or whitelist them...


you can also add

- known ISP hijacked IPs (for when ISPs convert NXDOMAIN to redirect to
chosen servers).

- the wildcard IPs for: .cg, .cm, .la, .nu, ... because there is no way
to validate domains in such TLDs, and bounces/replies/... will cause errors.

$ host -t mx postfixrocks.cg
postfixrocks.cg has no MX record
$ host postfixrocks.cg
postfixrocks.cg has address 64.18.138.88
$ telnet 64.18.138.88 25
Trying 64.18.138.88...
telnet: connect to address 64.18.138.88: Connection refused