On Mon, Mar 15, 2010 at 05:15:59PM -0400, Wietse Venema wrote:
> Victor Duchovni:
> > With explicit DNSWL lookups, indeed "defer_if_reject" is acceptable, since
> > the DWL is operated locally or by a competent provider and persistent temp
> > failure of lookups is less likely. So it seems to me that this has cleaner
> > semantics than "check_client_access" with name-based "OK" results, provided
> > the DWL lookup-key is an address, not a domain name!
>
> A client hostname is bad because it may not be available, but what
> is the problem with helo/sender/recipient domains?
Yes, only the client name is a problem in the original sense of this
thread. Of course one would be rather foolish to white-list by helo-name
and sender domain, these are too easy to spoof. It is not clear that
a recipient domain DNSWL is semantically useful, so I think that only
client names make sense in this context.
--
Viktor.
P.S. Morgan Stanley is looking for a New York City based, Senior Unix
system/email administrator to architect and sustain our perimeter email
environment. If you are interested, please drop me a note.
