NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-02

Re: exclude hosts from reverse DNS checks

From: Victor Duchovni (Victor.DuchovniMorganStanley.com)
Date: Sun Feb 03 2008 - 13:29:30 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Feb 03, 2008 at 01:47:55PM -0200, Leonardo Rodrigues Magalh?es wrote:

>
> Hello,
>
> I'm confuguring some reverse DNS checks using
> reject_unknown_reverse_client_hostname on smtpd_client_restrictions. But
> i would like to exclude some hosts/networks from being checked through
> reverse DNS. I dont want to explicity allow them, they would have to
> reach all other restrictions on smtpd_recipient_restrictions and
> smtpd_sender_restrictions, policy services and all the rest.
>
> Is this possible, i mean, exclude from checks but not allowing ? It
> seems to me that i should use some check_client_access with DUNNO
> actions instead of OK in smtpd_client_restrictions, is this the right
> way of doing this ?

Use a CIDR table:

        10.0.0.0/8 DUNNO RFC 1918
        172.16.0.0/12 DUNNO RFC 1918
        192.0.2.1 DUNNO example exception
        192.168.0.0/16 DUNNO RFC 1918
        0.0.0.0/0 reject_unknown_reverse_client_hostname

list all exceptions above the generic 0/0 rule at the bottom of the file.

If the exception list is large (thousands of CIDR blocks), and CIDR tables
impose too high a performance penalty, the solution is more complex,
instead of DUNNO you resolve the exception host to a restriction class
that performs all the lookups except for the one you want to skip (and
ends in permit).

--
Viktor.

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.

To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>

If my response solves your problem, the best way to thank me is to not
send an "it worked, thanks" follow-up. If you must respond, please put
"It worked, thanks" in the "Subject" so I can delete these quickly.

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]