On Sat, Feb 02, 2013 at 03:34:30PM -0600, Stan Hoeppner wrote:
> check_client_access pcre:/etc/postfix/client_access
> ...
>
> /etc/postfix/client_access:
> /.*facebook\.com$/ permit
This is not robust for two reasons, the first is a simple oversight,
replace:
/.*facebook\.com$/ permit
with
/\.facebook\.com$/ permit
since "notfacebook.com" is not "facebook.com" and any SMTP client
in the real facebook.com domain would be a proper sub-domain.
The second issue is not easy to fix, transient DNS lookup errors
(timeouts, ...) may result in a client hostname of "unknown" rather
than <mumble>.facebook.com. In such cases the whitelist entry will
not apply. Generally this is a problem as messages may be erroneously
rejected due to a transient error. In this case, provided the whitelist
entry is solely to avoid greylisting, this is OK, since greylisting
is responds with temporary (4XX) error codes.
--
Viktor.
