On Tue, Mar 26, 2013 at 4:16 PM, Wietse Venema <wie...@porcupine.org> wrote:
> Lima Union:
> [ Charset ISO-8859-1 unsupported, converting... ]
>> > Am 26.03.2013 19:36, schrieb Lima Union:
>> >>>
>> >> Wietse, ok, I'll disable the fqrdns check for now and check the chroot
>> >> configuration after I return from holidays
>> >
>> > this is ONE char in the master.cf and if i where you i
>> > would not make holidays as long a production server is
>> > known misconfigured
>> >
>>
>> ok, done, chroot has been disabled and the fqrdns.pcre is working now.
>> After disabling the chroot I issued an 'egrep
>> '(warning|error|fatal|panic):' /var/log/mail' and am seeing many
>> warnings like these, is it ok?
>>
>> Mar 26 15:56:03 relay1 postfix/smtpd[2111]: warning: 178.88.224.150:
>> hostname 178.88.224.150.megaline.telecom.kz verification failed: Name
>> or service not known
>> Mar 26 15:56:03 relay1 postfix/smtpd[1953]: warning: 201.216.208.5:
>> hostname customer-static-201-216-208.5.iplannetworks.net verification
>> failed: Name or service not known
>> Mar 26 15:56:18 relay1 postfix/smtpd[1951]: warning: 63.141.239.151:
>> hostname muv4ward.com verification failed: Name or service not known
>> Mar 26 15:56:31 relay1 postfix/smtpd[1951]: warning: 87.98.228.174:
>> address not listed for hostname www.thedesigninstitution.com
>> Mar 26 15:56:34 relay1 postfix/smtpd[2021]: warning: 64.191.105.74:
>> hostname 64-191-105-74.static.hostnoc.net verification failed: Name or
>> service not known
>
> Yes, broken DNS happens. Instead of reject_unknown_client_hostname
> you could use reject_unknown_reverse_client_hostname which will
> use the name even if the above checks fail.
>
> http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
> http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname
>
> Also, your chroot jail is missing files. Please complain to the
> distributor.
>
> Wietse
Wietse, there's something I don't understand. I've commented out the
check_reverse_client_hostname_access, reloaded postfix and am still
finding those DNS warnings (ie: hostname
77-121-229-206.dhcp.kram-city.net verification failed: Name or service
not known). How to know which setting is triggering that? and is it
just a warning, not a reject right? in my main.cf there's no
reject_unknown_client_hostname as your suggestion. Here's a copy of my
current smtpd_recipient_restrictions settings:
smtpd_recipient_restrictions =
permit_mynetworks,
reject_unauth_destination,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
# warn_if_reject reject_unknown_helo_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
# reject_unknown_sender_domain,
# reject_unknown_recipient_domain,
reject_unverified_recipient,
check_client_access hash:$config_directory/maps/smtpd_client_checks,
# check_reverse_client_hostname_access
regexp:$config_directory/maps/fqrdns.pcre,
check_helo_access hash:$config_directory/maps/smtpd_helo_checks,
check_sender_access hash:$config_directory/maps/smtpd_sender_checks,
check_sender_access
regexp:$config_directory/maps/smtpd_sender_checks.regexp,
check_recipient_access
hash:$config_directory/maps/smtpd_recipient_checks,
reject_non_fqdn_hostname,
# reject_unverified_recipient,
reject_rbl_client zen.spamhaus.org,
reject_rbl_client b.barracudacentral.org,
reject_rbl_client psbl.surriel.com,
reject_rbl_client bl.spamcop.net,
reject_rhsbl_client rhsbl.sorbs.net,
check_sender_access hash:$config_directory/maps/forged_domain_senders,
check_policy_service inet:127.0.0.1:10023,
permit
Thanks once again.
LU
