>So, if a host 1.1.2.3 connects, and presents a envelope sender of >[EMAIL PROTECTED], postfix does an rdns lookup on 1.1.2.3
... gets the PTR hostname, the queries for it A record to see it matches 1.1.2.3 >If that rdns fails, the unknown_client_reject_code is sent and the mail >is rejected. right >OTOH, if 1.1.2.3 returns a PTR of (for argument's sake) >mail.badbadbad.org, then postfix will do a forward dns lookup on the >returned name (mail.badbadbad.org). right and if the A record of mail.badbadbad.org is 1.1.2.3, it's a match. >If mail.badbadbad.org has NO A record, postfix rejects the mail. right >If it does have an A record (or multiple A records), one of the A >records returned must match the MTA IP. right >So, in my case, my server sending out mail from 198.235.200.78 has these >two records: > > 78.200.235.198.in-addr.arpa name =3D mail-byron.theedge.ca >and mail-byron.theedge.ca internet address =3D 198.235.200.78 so A and PTR "match" >Theedge.ca is my provider, and I *never* send mail from anything at >theedge.ca. (But, I'm not a commonly forged domain :) ). So, therefore, >my mail passes the reject_unknown_client test. right >What I don't understand, is how you enforce the fact that the PTR must >be in the same subdomain as the returned lookup.=20 A and PTR must match, there is no other requirement. The PTR hostname can be anything. Len
