Hi,
I've read over several threads here in the mailing list archives and
have found authoritative answers from Viktor and Wietse re how Postfix
treats unverified PTR/A DNS records in relation to check_*_access
checks, but I believe I am overlooking where this is explicitly covered
in the documentation.
Viktor:
> Postfix does not use unverified PTR records in access checks
that can return "OK", that would be a major security hole.
>
> Anyone can set their PTR records to point to any name of their
choice, but they cannot as easily get the owner of that name
to confirm that the original IP address is theirs.
Wietse:
> For security reasons Postfix does not allow you to whitelist a client
hostname with incorrect PTR/A DNS records. Not even when you use
check_reverse_client_hostname_access instead of check_client_access.
> If you must whitelist, use the IP address.
I've focused specifically on these pages/areas, though I've wandered
from there onto other related pages in my search:
* http://www.postfix.org/postconf.5.html#smtpd_peername_lookup
* http://www.postfix.org/postconf.5.html#check_client_access
* http://www.postfix.org/SMTPD_ACCESS_README.html
* http://www.postfix.org/access.5.html
I see lots of info covering how look-ups/checks are performed, but I
didn't find anything spelled out as clearly as either of Wietse's or
Viktor's answers.
Can someone point me to the relevant documentation section which covers
this specific scenario? I feel like I'm looking right over it.
Thank you for your help.
