On Tue, Jan 12, 2010 at 01:12:52PM -0500, Frank Cusack wrote:
> I can't accept mail from hosts with multiple PTR records without manually
> whitelisting them. Additionally, I can't even tell that I'm experiencing
> a failure until it is reported to me "manually" and out of band.
Don't use "reject_unknown_client_hostname" indiscriminantly. Do so only for
CIDR blocks in which you find a small number of legitimate MTAs in a larger
pool of spam sending hosts without valid PTR records.
main.cf:
smtpd_client_restrictions =
check_client_access cidr:${config_directory}/client_access.cidr
client_access.cidr:
192.0.2.0/24 reject_unknown_client_hostname
# More conservative:
# 192.0.2.0/24 reject_unknown_reverse_client_hostname
Postfix does not by default reject clients with mismatched forward/reverse
DNS. Do not enable this feature for all IPs, it is not recomended. With
or without multiple PTRs, plenty of valid MTAs have various DNS issues.
Plenty of MTAs with multiple PTRs pass the restriction, provided all
the names resolve to the same IP. It is not the PTR count, but the
consistency with the IP that's important. This is not an invitation
to debate DNS. Just a clarification of the semantics of
"reject_unknown_client_hostname".
Also consider "reject_unknown_reverse_client_hostname", which only tests
existence of PTR records, not their consistency with any forward DNS.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majord...@postfix.org?body=unsubscribe%20postfix-users>
If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.
