Michael Monnerie wrote, at 06/16/2009 02:17 AM: > A big ISP here in Austria started to use reject_unknown_client_hostname > (http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname) > also known as http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS > > Is this option safe today? About 2 years ago it was not, rejecting lots > of good mails. In terms of anti-spam, I'd love to use it, as it should > really help drop a lot of zombie PC's mails in a simple manner. But I'd > like to hear opinions or experience of others.
I tried using it for a while last year and found it still to be unsafe. Attempts to contact sites about misconfiguration led nowhere. Maybe if more big ISPs start blocking on the criteria, things will change. One common pattern I noticed with problem sites was the insertion of spam appliances without properly considering DNS. Government and education sites seemed to be particularly unable to understand and correct it. As much as I want to use reject_unknown_client_hostname (it was extremely effective in combatting the few remaining spam that get past my other defenses), I've been increasing the score of RDNS_NONE in SpamAssassin, which will supposedly catch this along with other DNS misconfigurations. In any case, if you want to evaluate it, add this to smtpd_recipient_restrictions (probably best near the end, right before any reject_rbl_client restrictions): warn_if_reject reject_unknown_client_hostname Monitor your logs for a while to see if you can afford to reject on this criteria. It still indicates that it's unsafe for me to do so.
