On 11/3/2010 5:04 AM, Jerry wrote:
I noticed this posted on another forum:
<quote>
It should be noted that reject_unknown_client_hostname will check only
the first PTR record returned for a host. So, you might reject
well-configured (i.e. RFC-compliant) clients whose matching PTR record
unfortunately isn't the first one in the list.
</quote>
Is this factually correct? If so, what are the statistical chances of it
occurring? If correct, other than not using that option, what other
options should be used to prevent such an occurrence?
While this is essentially correct, it's really FUD.
If an admin chooses to set up multiple PTR records for a host,
the client is not well-configured until each PTR has a
matching A record. It is not reasonable for postfix to step
through PTR records looking for one that has a proper A record.
In practice, this isn't a problem. While multiple PTR records
are allowed, their usefulness is debatable (but not here) and
in reality very few hosts have multiple PTRs. Of those hosts
that have multiple PTRs, only a subset of those are hosts
anyone would want to receive mail from, so the number of hosts
affected is quite small. For a host with multiple PTRs, the
probability of rejecting that host is {number of misconfigured
PTR records}/{number of PTR records}, but essentially random
since you can't predict ahead of time what those numbers are.
And finally, reject_unknown_client_hostname is a very strict
check that is likely to reject wanted mail; only the smallest
sites are able to use that check without maintaining a local
whitelist anyway.
If this is not acceptable, you can implement your own hostname
checks in a policy server, or use the less strict
reject_unknown_reverse_client_hostname.
-- Noel Jones
