On 27/11/2018 00:09, Wietse Venema wrote: > John Fawcett: >> Hi >> >> I was recently trying to whitelist a client hostname that frequently >> changes ip. >> >> >From the documentation check_client_access restriction for use with >> smtpd allows to specify access table lookups which contains hostnames. >> >> postscreen_access_list does not seem to allow hostnames in lookup tables. >> >> Is my understanding correct? Is there a reason why hostnames should not >> be supported in postscreen_access_list lookup tables? > Yes, it is working as documented and it is working as intended. > > If you have clients in blacklisted networks, they should connect > to a different address or port, and be required to authenticate. > > postscreen only makes requests to well-managed DNSXL servers that > the local system admin specifies in main.cf, and it makes the request > only if the client did not pass the postscreen DNSBL check recently. > If a DNSXL server specifies a very small or very large TTL, then > postscreen clamps the TTL to a more reasonable value. > > The basic idea of postcreen is that 'good' clients must have only > millisecond delays as postscreen looks up their status from postscreen > cache. That is a lot less delay than when postscreen has to do > FQRDNS on EVERY DAMNED CLIENT CONNECTION, with reverse and forward DNS > requests to DNS servers that are often not competently managed. > > Wietse
Thanks Wietse for explaining the logic behind it and I'll go the route of authentication. John
