Jon Ribbens:
> In access(5), the documentation says (in regard to HOST NAME/ADDRESS
> PATTERNS):
>
> domain.tld
> Matches domain.tld.
>
> However it fails to indicate what this actually *means*. This seems to
> be a bit of a documentation failure. Which one of the following is it?
DESCRIPTION
This document describes access control on remote SMTP client informa-
tion: host names, network addresses, and envelope sender or recipient
addresses; it is implemented by the Postfix SMTP server.
Thus, it takes Postfix's idea of the client host name and compares
that name against the string "domain.tld".
Not documented here is that check_client_access uses a hostname of
"unknown" when the address->name lookup fails, or when the name
does not resolve to the client IP address.
It can't be documented here, because check_reverse_client_hostname_access
uses the same access map mechanism using the address->name lookup
result, but without the name->address verification check.
Nor is documented here that these name->address and address->name
lookups use system getnameinfo/getaddrinfo routines, whose results
are subject to munging by nsswitch.conf and similar mechanisms.
> (a) Match an IP address whose reverse DNS matches 'domain.tld'.
> (b) (a), with a subsequent forward-lookup to check it isn't a fake
> reverse DNS entry.
> (c) Match an IP address which is listed as one of the results for an
> A-record lookup of 'doman.tld'.
> (d) Something else.
>
> I have a situation where I have a DNS record 'foo.example.com', which
> resolves to multiple A records. I want to allow mail transactions if
> and only if the incoming connection is from one of those IP addresses.
> Is this possible with Postfix, and if so, how?
check_client_access requires that the address->name lookup produces
a name that resolves to the client IP address.
check_reverse_client_hostname_access is less restrictive.
Wietse
