Jorey Bump wrote:
Michael Monnerie wrote, at 06/16/2009 02:17 AM:
A big ISP here in Austria started to use reject_unknown_client_hostname
(http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname)
also known as http://en.wikipedia.org/wiki/Forward_Confirmed_reverse_DNS
Is this option safe today? About 2 years ago it was not, rejecting lots
of good mails. In terms of anti-spam, I'd love to use it, as it should
really help drop a lot of zombie PC's mails in a simple manner. But I'd
like to hear opinions or experience of others.
I tried using it for a while last year and found it still to be unsafe.
Attempts to contact sites about misconfiguration led nowhere. Maybe if
more big ISPs start blocking on the criteria, things will change. One
common pattern I noticed with problem sites was the insertion of spam
appliances without properly considering DNS. Government and education
sites seemed to be particularly unable to understand and correct it. As
much as I want to use reject_unknown_client_hostname (it was extremely
effective in combatting the few remaining spam that get past my other
defenses), I've been increasing the score of RDNS_NONE in SpamAssassin,
which will supposedly catch this along with other DNS misconfigurations.
In any case, if you want to evaluate it, add this to
smtpd_recipient_restrictions (probably best near the end, right before
any reject_rbl_client restrictions):
warn_if_reject reject_unknown_client_hostname
Monitor your logs for a while to see if you can afford to reject on this
criteria. It still indicates that it's unsafe for me to do so.
I agree with Jorey, reject_unknown_client_hostname is unsafe
for us also.
I am able to use reject_unknown_reverse_client_hostname, which
rejects clients with no rDNS. This rejects ~10% of
connections before RBL lookups, with one single client
whitelisted from this rule. YMMV and all that.
-- Noel Jones
