On 9/13/2009 7:14 PM, Sahil Tandon wrote:
On Sun, 13 Sep 2009, Noel Jones wrote:

On 9/13/2009 10:45 AM, Sahil Tandon wrote:
On Sun, 13 Sep 2009, mouss wrote:

smtpd_sender_restrictions =
        ...
        check_client_access hash:/etc/postfix/forged_sender_wl
        check_sender_access hash:/etc/postfix/forged_sender_bl


== forged_sender_wl
hotmail.com     OK
.hotmail.com    OK
yahoo.com       OK
.yahoo.com      OK
...

== forged_sender_bl
hotmail.com     REJECT blah blah
yahoo.com       REJECT blah blah blah
...

Mouss, a thought: what if there is a temporary DNS lookup problem so
that Postfix believes the client hostname is 'unknown' instead of
'foo.bar.yahoo.com'?  Unless reject_unknown_client_hostname is specified
before these checks (with the default unknown_client_reject_code of
450), the sending server would incorrectly be turned away with a 5xx.
This is because the hostname passed to the check_client_access query
would not contain the expected domain.tld.  Or am I totally off with my
reasoning?

I use "reject_unknown_client_hostname" as part of the freemail
restriction class.  That way temporary DNS errors result in a
temporary reject, and impostors without proper DNS are simply
rejected.

What about imposters *with* proper DNS? :-)


The others must come from "approved" clients. It's an smtpd_restrictions_classes that's been posted often by several people. Search for "freemail restriction classes" or something like that.

  -- Noel Jones

Reply via email to