Paweł Leśniak a écrit : > Jim Wright pisze: >>> Jan 26 13:05:42 mail postfix/policy-spf[2500]: : Policy >>> action=PREPEND Received-SPF: none (server.hipwah.com: No applicable >>> sender policy available) receiver=mail.example.com; identity=helo; >>> helo=SERVER.hipwah.com; client-ip=202.134.118.114 >> reject_unknown_hostname >> >> SERVER.hipwah.com has no DNS A or MX record. >> > [r...@mail postfix]# host server.hipwah.com > Host server.hipwah.com not found: 3(NXDOMAIN) > [r...@mail postfix]# host -t mx server.hipwah.com > Host server.hipwah.com not found: 3(NXDOMAIN)
there is no point checking the MX of a helo name (and it's even more useless when the domain does not exist!) > [r...@mail postfix]# host -t mx hipwah.com > hipwah.com mail is handled by 5 mail.hipwah.com. > [r...@mail postfix]# host mail.hipwah.com > mail.hipwah.com has address 202.134.118.114 > > > I may be wrong, but I think I should not block sender on helo basis? > Jan 26 13:05:41 mail postfix/smtpd[2432]: connect from > static-ip-114-118-134-202.rev.dyxnet.com[202.134.118.114] > Jan 26 13:05:42 mail postgrey[1086]: action=pass, reason=triplet found, > delay=727, client_name=static-ip-114-118-134-202.rev.dyxnet.com, > client_address=202.134.118.114, recipient=u...@example.com > > From my point of view it looks like reject_unknown_helo_hostname is far > to agressive, while reject_unknown_client_hostname and > reject_unknown_reverse_client_hostname would both permit this mail. > Correct me please if I'm wrong. > reject_unknown_helo_hostname would indeed be too aggressive. but you could use restriction classes and only call it if the sender is null (<>). or you could run aggressive checks if the client has a "generic" reverse dns. or in this particular case, simply reject *.rev.dynxnet.com with a check_client_access: rev.dynxnet.com REJECT blah blah .rev.dynxnet.com REJECT blah blah
