Jon Ribbens a écrit :
> In access(5), the documentation says (in regard to HOST NAME/ADDRESS
> PATTERNS):
>
> domain.tld
> Matches domain.tld.
>
> However it fails to indicate what this actually *means*. This seems to
> be a bit of a documentation failure. Which one of the following is it?
>
> (a) Match an IP address whose reverse DNS matches 'domain.tld'.
This can't be trusted. nobody can use this for access control.
See also
http://www.postfix.org/postconf.5.html#smtpd_peername_lookup
> (b) (a), with a subsequent forward-lookup to check it isn't a fake
> reverse DNS entry.
> (c) Match an IP address which is listed as one of the results for an
> A-record lookup of 'doman.tld'.
You can exclude this by yourself: if I use a pcre (or regexp) map, would
postfix try all possible strings that matchall the regular expressions,
do a DNS lookup until it finds a match??? and if I use mysql, would
postfix dump the whole database and try each domain??? and even with a
hash, if I have 100 domains, would postfix do 100 DNS requests until it
finds the IP?
> (d) Something else.
>
"matches domain.tld", means that the rDNS matches this. and rDNS is only
used if it is "forward confirmed".
given the client IP, a PTR lookup is done. if a PTR is returned (if
multiple PTRs are returned, only the first is used), it is checked for A
records. If A records are then returned, they are compared to the client
IP. if a match is found, the PTR is used as the rDNS. In all other
cases, the rDNS is set to "unknown".
> I have a situation where I have a DNS record 'foo.example.com', which
> resolves to multiple A records. I want to allow mail transactions if
> and only if the incoming connection is from one of those IP addresses.
> Is this possible with Postfix, and if so, how?
choice 1: give all the IPs the same rDNS.
choice 2: give each an rDNS in a specific subdomain
("foo.allowed.example.com", "bar.allowed.example.com", ...) and allow
connections from:
allowed.example.com OK
.allowed.example.com OK
the second form is "meaningful" or not depending on the value of
parent_domain_matches_subdomain. (ouf, that one is long!).
choice 3: use a script to generate a cidr map from the zone file, and
run the script whenever the zone file is updated.
