lists.m4, exchange.m4: Check for bogus addresses when doing DNS lookups.

Inspired by Chris Siebenmann's `How not to set up your DNS' series; see
https://utcc.utoronto.ca/~cks/space/blog/__Index.

diff --git a/exchange.m4 b/exchange.m4
index b4cb02b..cf2a81b 100644 (file)
--- a/exchange.m4
+++ b/exchange.m4
@@ -96,6 +96,8 @@ local:
                           CONF_master_domain : \
                           *.CONF_master_domain }}
        self = fail
+       same_domain_copy_routing = yes
+       ignore_target_hosts = +bogus
        transport = smtp_local
        no_more
 
@@ -107,6 +109,8 @@ remote:
                               {false})}} \
                       {}{ ! +public }}
        self = fail
+       same_domain_copy_routing = yes
+       ignore_target_hosts = +bogus_public
        transport = smtp
        no_more
 

diff --git a/lists.m4 b/lists.m4
index 8f12fd8..88ae8c8 100644 (file)
--- a/lists.m4
+++ b/lists.m4
@@ -43,6 +43,20 @@ hostlist allnets = <; \
        172.29.198.0/23 ; 2001:8b0:c92::/48 ; \
        2001:ba8:1d9::/48 ; 2001:470:9740::/48
 
+## Addresses which are likely to be bogus.  These are zero, loopback,
+## multicast, broadcast (IPv4), and blocks reserved for documentation.
+hostlist bogus = <; \
+        :: ; ::1 ; ff00::/8 ; 2001:db8::/32 ; \
+        0.0.0.0 ; 127.0.0.0/8 ; 224.0.0.0/4 ; 255.255.255.255 ; \
+        192.0.2.0/24 ; 198.51.100.0/24 ; 203.0.113.0/24
+
+## Addresses which are likely to be bogus as public mailservers.  These are
+## the generally bogus addresses, plus link-local and private use addresses.
+hostlist bogus_public = <; \
+       +bogus ; \
+       fe80::/10 ; fc00::/7 ; \
+       169.254.0.0/16 ; 10.0.0.0/8 ; 172.16.0.0/12 ; 192.168.0.0/16
+
 ## Domains we're authoritative for.
 domainlist thishost = @ : @[] : \
        ${map {${extract {${extract {1}{.}{$primary_hostname}}} \