Robert Schetterer a écrit :
> Hi,
> some nets have
> set their ptr records to localhost
> this causes problems to several mailservers
> i see no problems at mine but
> just asked to clear
>
> dig -x 123.27.178.4
>
> ; <<>> DiG 9.3.5-P1 <<>> -x 123.27.178.4
> ;; global options: printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46689
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
>
> ;; QUESTION SECTION:
> ;4.178.27.123.in-addr.arpa. IN PTR
>
> ;; ANSWER SECTION:
> 4.178.27.123.in-addr.arpa. 86266 IN PTR localhost.
>
> i only get warnings ( like ever )
>
> Aug 6 15:04:31 mxback postfix/smtpd[30131]: warning: 123.27.178.4:
> address not listed for hostname localhost
> Aug 6 15:04:31 mxback postfix/smtpd[30131]: connect from
> unknown[123.27.178.4]
>
>
> is this a hard coded match ( ptrs to localhost are resolved unknown? )
> so i.e reject_unknown_reverse_client_hostname
> will reject it ever ?
>
> after all this was warned by german heise pc magazin
> http://www.heise.de/newsticker/Namens-Trick-oeffnet-Mailserver--/meldung/143123
I use somthing like this:
smtpd_recipient_restrictions =
...
check_reverse_client_hostname_access ${hash}/access_host
check_helo_access ${hash}/access_host
...
to reject things like:
localhost
unreachable
.localhost
.arpa
.invalid
.inv
.test
.local
.lokaal
.localdomain
.lan
.private
.root
.adsl
.firewall
.speedportw700v
.belkin
.kornet
...
be them found in helo or in the PTR. I also use a pcre version to reject
"." as PTR (among other things).
