NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> 2008-02

Re: exclude hosts from reverse DNS checks

From: Leonardo Rodrigues Magalhães (leolistassolutti.com.br)
Date: Sun Feb 03 2008 - 13:47:34 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Victor Duchovni escreveu:
> On Sun, Feb 03, 2008 at 01:47:55PM -0200, Leonardo Rodrigues Magalh?es wrote:
>
>
>> Hello,
>>
>> I'm confuguring some reverse DNS checks using
>> reject_unknown_reverse_client_hostname on smtpd_client_restrictions. But
>> i would like to exclude some hosts/networks from being checked through
>> reverse DNS. I dont want to explicity allow them, they would have to
>> reach all other restrictions on smtpd_recipient_restrictions and
>> smtpd_sender_restrictions, policy services and all the rest.
>>
>> Is this possible, i mean, exclude from checks but not allowing ? It
>> seems to me that i should use some check_client_access with DUNNO
>> actions instead of OK in smtpd_client_restrictions, is this the right
>> way of doing this ?
>>
>
> Use a CIDR table:
>
> 10.0.0.0/8 DUNNO RFC 1918
> 172.16.0.0/12 DUNNO RFC 1918
> 192.0.2.1 DUNNO example exception
> 192.168.0.0/16 DUNNO RFC 1918
> 0.0.0.0/0 reject_unknown_reverse_client_hostname
>
> list all exceptions above the generic 0/0 rule at the bottom of the file.
>
> If the exception list is large (thousands of CIDR blocks), and CIDR tables
> impose too high a performance penalty, the solution is more complex,
> instead of DUNNO you resolve the exception host to a restriction class
> that performs all the lookups except for the one you want to skip (and
> ends in permit)

I wont have too much entries, so performance will certainly NOT be a
problem.

Could you explain me, just to clarify about this questions, what
would be the difference on using OK and DUNNO on this kind of check ?

Thanks !

        Atenciosamente / Sincerily,
        Leonardo Rodrigues
        Solutti Tecnologia
        http://www.solutti.com.br

        Minha armadilha de SPAM, NÃO mandem email
        gertrudessolutti.com.br
        My SPAMTRAP, do not email it

application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]