On Tue, 2011-04-12 at 23:55:18 -0500, Stan Hoeppner wrote: > Sahil Tandon put forth on 4/12/2011 10:58 PM: > > On Tue, 2011-04-12 at 16:19:03 -0500, Stan Hoeppner wrote: > > > >> Mikael Bak put forth on 4/12/2011 7:31 AM: > >>> Stan Hoeppner wrote: > >>> [snip] > >>>> > >>>>> Received: from [190.221.28.39] (unknown [190.221.28.39]) > >>>> > >>>> In this example, reject_unknown_reverse_client_hostname would have > >>>> generated a 450 rejection. You should always use > >>>> reject_unknown_reverse_client_hostname at minimum, or the more > >>>> restrictive reject_unknown_client_hostname, though this one can cause > >>>> problems with FPs on occasion. Best to use it with warn_if_reject for a > >>>> while and monitor what it would have rejected. > >>>> > >>>> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname > >>>> > >>>> However, it appears that 190.221.28.39 has rDNS of > >>>> > >>>> Name: host39.190-221-28.telmex.net.ar > >>>> Address: 190.221.28.39 > >> > >>> No. The "reject_unknown_reverse_client_hostname" in the above example > >>> would not have generated a 450 rejection, since the IP address HAS a > >>> reverse dns hostname. > >> > >> Yes, it would have. > > > > Not in this case. > > > >> Note the "unknown" in the Received line. The rDNS lookup failed > >> during the transaction in question, thus this restriction would have > >> generated a 450 for this transaction. Note the following that I > >> wrote, due to the fact the host does have rDNS: > > > > The 'unknown' in the Received: header is not due to rDNS problems, but > > more likely because the name->address mapping (still) fails. > > > > % dig +short -x 190.221.28.39 > > host39.190-221-28.telmex.net.ar. > > > > ... so rDNS is OK; however: > > > > % host host39.190-221-28.telmex.net.ar > > Host host39.190-221-28.telmex.net.ar not found: 3(NXDOMAIN) > > But the test condition is 1) or 2) or 3) isn't it? Not 1) and 2) and 3)? > > If the latter, you seem to be saying one can have a case with an > "unknown" stamp for the reverse-name in the log and Received: header, > but reject_*unknown*_reverse_client_hostname will not reject the connection?
Remember: there is a difference between reject_unknown_client_hostname and reject_unknown_reverse_client_hostname. The latter *only* rejects mail when the client IP address->name mapping fails. This is *one* of three conditions that causes Postfix to insert 'unknown' into Received: headers and reject mail with the reject_unknown_client_hostname directive. In the case we are discussing, the 'unknown' in the headers was there *not* because of rDNS failure, but because the name->address mapping failed. As a result, while reject_unknown_client_hostname would reject the client, reject_unknown_*reverse*_client_hostname would not. If this is not sufficiently clear at this point, a careful re-reading of the relevant sections of postconf(5) is in order. http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname > Wietse Venema put forth on 3/31/2011 11:42 AM: > > > The format is: > > > > Received: from helo-hostname (verified-reverse-name [ip-address]) Yes, understand that just because the rDNS is known, does not mean it is verified. -- Sahil Tandon <sa...@freebsd.org>
