> On Jun 7, 2018, at 10:40 AM, Wietse Venema <wie...@porcupine.org> wrote:
>
>> As far as i understand are *names *like system2.acme.com allowed in the
>> mynetworks file ?
Whitelisting based on DNS names is allowed, but fragile and
NOT recommended for inbound mail. With name-based whitelists,
a transient failure in DNS lookups can cause mail to be
incorrectly rejected. It is possible to do this correctly
with care on the submission service or dedicated outbound-only
smarthosts. For example on the submission port (587),
main.cf:
msa_client_restrictions =
permit_sasl_authenticated,
reject_unknown_client,
permit_mynetworks,
reject
master.cf:
submission inet ... smtpd
...
-o smtpd_client_restrictions=$msa_client_restrictions
...
For dedicated outbound services using "reject_unknown_client"
turns temporary DNS lookup problems into tempfail conditions,
allowing upstream null clients to retry.
--
Viktor.
