On 6/14/2016 12:12 PM, Вадим Бажов wrote: > Didn't receive your answer due to our mailserver maintenance > schedule ( fail ! ;) ) > Thank you for explanations. > Have some questions though. > You say: > >> check_client_access checks either the IP address or the verified >> client hostname. This is very hard to spoof and is the preferred >> way to whitelist. >> >> check_sender_access checks the envelope sender email address, or >> domain part of the envelope sender address. This is very easy to >> spoof; avoid sender based whitelists unless you have no other way to >> whitelist some particular message. >> > /verified client hostname/ - what makes hostname verified ? Is it > getting checked by check_client_access based on ip-address resolving > or something ?
Postfix confirms all hostnames with forward and reverse name lookups. A host that fails any step of the verification is labeled "unknown". This is difficult to spoof. https://en.wikipedia.org/wiki/Forward-confirmed_reverse_DNS > > /This is very easy to spoof : /I always thought that sender address > from the envelope headers is getting checked against it's domain > part by resolving it and compairing with HELO or ip adress that is > already known by that time. The sender address is trivial to spoof. There is no requirement for the sender address to have any relation to the HELO/IP/hostname, and in practice this is a very poor spam indicator -- only poorly written spam filters even bother checking. SPF is the method to combat sender spoofing, but is not available for check_sender_access map lookups. If you must whitelist by sender, you are strongly encouraged to use a filter, policy service, or milter that checks SPF and rejects spoofed mail. -- Noel Jones
