On Sat, Apr 05, 2014 at 11:01:54AM -0400, Miles Fidelman wrote: > Which leads to several obvious questions: > - how does postfix use PTR records (e.g., which header lines > are matched, at what points in the processing chain, ...)?
A client connects to smtpd. The PTR for the client IP address is looked up. The PTR value (that is, a hostname, such as "x.example.com.") is also looked up. If an A record matching the client IP address is returned, smtpd logs the connection as coming from "x.example.com[client.ip.add.ress]". Then if mail is eventually accepted, the Received header is constructed similarly: Received: from <helo_name_given> (x.example.com[client.ip.add.ress]) If this verification process fails, such as when no PTR exists for the address (see reject_unknown_reverse_client_hostname) or when the PTR value lookup fails (nxdomain, servfail, timeout) or returns a different IP address (see reject_unknown_client_hostname), smtpd logs the connection as coming from "unknown[client.ip.add.ress]". "Which header lines are matched"? I have no idea what you mean. "At what points in the processing chain"? This is all done by smtpd for any new client connection. > - how does it react to the absence of a PTR record? By default, only by logging as per above. Otherwise, according to whatever restrictions you have chosen to enforce. > - how does it react to mismatches (and in which headers)? A PTR/A mismatch is "unknown". Again, no idea what you are asking about headers. > - how much of this is configurable? Restrictions are configurable. See the ones listed under postconf.5.html#smtpd_client_restrictions . Logging is not configurable. > Yes, a lot of this is buried in the documentation - and I'm going > off to look - but the real question is: are there any lessons > learned and/or best practices to be applied to the general case > of serving multiple domains from the same IP address? Pick ONE name to be the canonical name of the machine. Set that as your PTR value for the IP address, and make sure that the name resolves to that address. Set that name as $myhostname. Forget the quest for the "perfect headers": it's not worth the trouble, and nobody cares anyway. Addendum: One other comment to this thread: please, PLEASE, get rid of nslookup. It is broken, bug-ridden garbage that will not be fixed. Nobody in A.D. 2014 should be recommending it. The proper tool for DNS troubleshooting is dig(1). -- http://rob0.nodns4.us/ Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
