Re: reject_unknown_reverse_client_hostname not working as I expect

Thu, 11 Aug 2022 04:57:22 -0700 



On 11/08/2022 11:54, Matus UHLAR - fantomas wrote:


On 11.08.22 11:43, Nick Howitt wrote:

[root@server ~]# postconf -n | grep restrictions



smtpd_client_restrictions = permit_mynetworks, 
reject_unknown_reverse_client_hostname smtpd_recipient_restrictions = 
permit_mynetworks, permit_sasl_authenticated, 
reject_non_fqdn_hostname, reject_non_fqdn_sender, 
reject_non_fqdn_recipient, reject_invalid_hostname, 
reject_unauth_pipelining, reject_unknown_recipient_domain, 
check_policy_service unix:/var/spool/postfix/postgrey/socket 
smtpd_relay_restrictions = permit_mynetworks, 
permit_sasl_authenticated, reject_unauth_destination 
smtpd_sender_restrictions = permit_mynetworks, 
permit_sasl_authenticated, check_sender_access 
hash:/etc/postfix/access, reject_non_fqdn_sender, reject_invalid_hostname


Sometimes I see things like:

Aug 11 05:29:50 server postfix/smtpd[22642]: connect from 
unknown[103.169.188.140]
Aug 11 05:29:50 server postfix/smtpd[22642]: NOQUEUE: reject: RCPT 
from unknown[103.169.188.140]: 450 4.7.1 Client host rejected: cannot 
find your reverse hostname, [103.169.188.140]; 


% host 103.169.188.140
Host 140.188.169.103.in-addr.arpa. not found: 3(NXDOMAIN)


To me this implies it is working. But other times I see:


Aug  9 15:53:47 server postfix/smtpd[16934]: connect from 
unknown[162.240.216.231]


% host 162.240.216.231

231.216.240.162.in-addr.arpa domain name pointer 
162-240-216-231.unifiedlayer.com.

% host 162-240-216-231.unifiedlayer.com.
Host 162-240-216-231.unifiedlayer.com. not found: 3(NXDOMAIN)



Here it has not worked and the spam came through. Is it just a 
question of changing the smtpd_delay_reject or is it an unavoidable 
issue when using postgrey or is there something else I can do?



this is the main diference between 
reject_unknown_reverse_client_hostname and reject_unknown_client_hostname.



- the first that you used doesn't check for fcrdns mapping and only 
rejects   IP addresses that have no reverse mapping, no matter if the 
reverse   hostname is random

Oh OK, so when it says "unknown" it only means that forward and reverse 
DNS don't match? I was reading it that the reverse DNS didn't exits.



I can't use reject_unknown_client_hostname as I know at least one major 
ISP in the UK has their mailserver announcing a ???.local or ???.lan 
domain. Also don't the RFC's require an FQDN as a hostname but it does 
not necessarily need to be valid? Or am I thinking of something else?





















					Reply via email to