On 07-07-2021 5:31 pm, Richard wrote:
If the "hostname has no DNS A ... record", i.e., the *hostname*
presented on the HELO/EHLO doesn't resolve, then no IPnumber will be
returned [to do anything with].
On 07.07.21 17:51, post...@ptld.com wrote:
Yes, if the hostname has no DNS records then ofcourse it has no IP.
But if the hostname DOES have DNS records, which is needed to pass the
test, then postfix now has that IP. Logically since the work has been
done to get that IP, it would be nothing for postfix to do a quick
compare to know if the helo is valid or spoofed compared to the
connecting client. The manual does not say it does, or does not, do
anything with that IP, but it does say that it does get that IP, I
just wanted to clarify. I didn't know i would get roasted this much
for asking.
Now for just my two cents, not having any knowledge as to why things
were designed they way they were, just as a stupid layman, im
wondering what is the point of even checking for a valid DNS A or MX
record if you aren't validating that information? What are you
preventing if any mail server can make their HELO 'gmail.com'?
Is there a downside to having that extra check in postfix?
Maybe adding "reject_mismatched_helo_client_ip"
this check is disabled in so far all SMTP RFCs, so you MUST NOT refuse a
helo string just because resulting address does not match the connecting IP.
Therefore it does not make sense to disable this or implement this check to
postfix.
domains can have their SPF records that say who is allowed to use their
names in HELO (or mail from of course). You can use SPF to refuse such
clients, although you need external policy server or milter to do that.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Posli tento mail 100 svojim znamim - nech vidia aky si idiot
Send this email to 100 your friends - let them see what an idiot you are
