From: Victor Duchovni (Victor.DuchovniMorganStanley.com)
Date: Mon Jul 24 2006 - 21:08:00 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Jul 24, 2006 at 06:21:12PM -0700, Darren wrote:

> Is it currently considered a safe and reasonable practice to run a
> server configuration that will reject unauthorized clients with a 554
> greeting? Basically, this kind of configuration:
>
> smtpd_delay_reject = no
> smtpd_client_restrictions =
> check_client_access hash:${config_directory}/allowed_clients,
> reject
>
> In allowed_clients:
> mx.example.com OK

Precede "reject" with "reject_unknown_client", so that if ever the PTR
of mx.example.com's IP is not found or tempfails to forward-resolve,
the legitimate client's mail is deferred, not rejected.

> RFC 2821 says I can do this, but it's not my own adherence to standards
> I really have to worry about.

Perfectly reasonable for hosts that are not the public MX hosts for
any domains, and have only a narrow list of valid clients, otherwise a
bad idea, because most clients won't treat errors at this stage as
permanent. Don't forget to also set a low hard error limit.

--
        Viktor.

P.S. Morgan Stanley is looking for a New York City based, Senior Unix
     system/email administrator to architect and sustain the Unix email
     environment. If you are interested, please drop me a note.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]