On Wed, 11 Jan 2012 10:19:36 -0600, Noel Jones <njo...@megan.vbhcs.org> wrote:
> I would classify it as low risk of false positives, and fairly safe. > (but not 100% safe; few rules are. YMMV and such.) I've had a > couple of FP's from idiots that run their business mail servers on a > cablemodem with a dynamic rDNS name (their IP is static, but the > rDNS incorrectly says dynamic), so I added their IP to a local > whitelist. You may or may not run into the same easily-fixed problem. > > Use it like: > smtpd_client_restrictions = > permit_mynetworks > # uncomment next line if using SASL > # permit_sasl_authenticated > check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre I would also be interesting to be able to use a similar mechanism earlier, from the postscreen_access_list (after permit_mynetworks but before going outside to fetch the postscreen_dnsbl_* stuff): postscreen_access_list = permit_mynetworks, check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre But http://www.postfix.org/postconf.5.html#postscreen_access_list states: "To discourage the use of hash, btree, etc. tables, there is no support for substring matching like smtpd(8). Use CIDR tables instead." M.