Re: How to reject generic FCrDNS clients

Fri, 12 Nov 2021 05:55:55 -0800 

On 2021-11-11 at 14:53:01 UTC-0500 (Thu, 11 Nov 2021 20:53:01 +0100)
Togan Muftuoglu <tog...@dinamizm.com>
is rumored to have said:


"Matus" == Matus UHLAR <- fantomas <uh...@fantomas.sk>> writes:



Matus> you can check hostnames by using pcre map in
Matus> check_reverse_client_hostname_access. e.g. refuse regex
Matus> /(\d+)[.-](\d+)[.-](\d+)[.-](\d+)./ REJECT "generic DNS refused" 

Matus> (trailing . should avoid matching IP Addresses)


I tried it with the  as

smtpd_client_restrictions = .... usual stuff
check_client_access pcre: /etc/postfix/check_reverse_client_hostname_access.pcre 


Unfortunately the regex matches legitimate senders as well.
As such a check always will. Legitimate senders, particularly large ones, frequently use generic names. Simplistic patterns will match hosts sending wanted mail. 


I had INFO instead
of REJECT and that save the situation and the mails arrived.

Have I placed the check in the wrong place or am I back to square one.
Seems fine to me. Assuming you did not make an error in /etc/postfix/check_reverse_client_hostname_access.pcre, check_client_access in smtpd_client_restrictions would be the first place you can do the check. If you put it in a later restriction list you can use
2021-11-11T19:10:01.014343+01:00 myserver postfix/smtpd[3837]: Anonymous TLS connection established from mx1.goodserver.org[172.31.12.175]: TLSv1.3 with 
cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519
server-signature ECDSA (P-256) server-digest SHA256
2021-11-11T19:10:01.062736+01:00 myserver postfix/smtpd[3837]: NOQUEUE: info: 
RCPT from mx1.goodserver.org[172.31.12.175]: "generic RDNS";
from=<SRS0=Dzai=P6=lists.goodserver.org=meetings-boun...@goodserver.org>
to=<john....@example.com> proto=ESMTP helo=<mx1.goodserver.org>
The munging of all the IPs and hostnames in those log lines makes them entirely pointless. For all we know from that, the pattern match was correct. 



--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire

Reply via email to