NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Postfix Discussion> current

Re: reject_unknown_reverse_client_hostname safe?

From: /dev/rob0 (rob0gmx.co.uk)
Date: Tue May 07 2013 - 17:36:49 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm going to take this chance to pipe into this thread that I am
confused about Vincent's issue. He says that the client which lacked
PTR (the one run by a Debianista) was not a mail exchanger, or not
exchanging mail.

Why, then, would reject_unknown_reverse_client_hostname be an issue?
Obviously one must never apply this against one's own submitting
users. Or was Vincent confused about the distinction between mail
exchanging clients and submission clients?

On Tue, May 07, 2013 at 03:12:58PM -0500, Stan Hoeppner wrote:
> On 5/6/2013 6:54 PM, /dev/rob0 wrote:
> > FCrDNS itself is not just a best practice, it is a
> > requirement.
>
> It is preferred, but optional, not required. If it was a

I was speaking in a functional sense. In the real world, you either
have FCrDNS for your outbound, or you have massive deliverability
issues.

> *requirement* then Postfix would have neither of these two
> restrictions, and the first would simply be hard coded into
> postscreen and smtpd.

Nitpick there: postscreen does not look up rDNS. :)

> reject_unknown_client_hostname
> reject_unkown_reverse_client_hostname
>
> Obviously it is not.
>
> In addition, if FCrDNS was indeed a requirement, then nobody would
> accept mail from my SOHO Postfix server, nor any mail servers
> behind the tens of thousands of "business class" ADSL circuits in
> the US which offer static IPs but not custom rDNS.

Peter has explained this: you indeed seem to have FCrDNS, just not
"good" FCrDNS with a custom PTR. You have generic-looking FCrDNS of
the kind that your famous PCRE file is designed to block. :)

> You yourself accept mail from my outbound, so obviously you're
> not strictly enforcing FCrDNS.

I do use reject_unknown_reverse_client_hostname for most recipient
domains. I do not use reject_unknown_client_hostname much. Neither do
I use reject_unknown_helo_hostname; and no policy daemon whereby the
HELO and PTR are required to match. If you're not on Zen (PBL) you're
fine by me. :)

> That or you've manually whitelisted my IP.

Perish the thought! I would do no such thing! ;)
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]