On Wed December 24 2008 10:30:36 Terry Carmen wrote:
> I have:
>
> smtpd_delay_reject = yes
>
> smtpd_recipient_restrictions =
> permit_mynetworks
> permit_sasl_authenticated
> reject_unauth_destination
>
>
> smtpd_client_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unauth_destination,
> hash:/etc/postfix/whitelist,
> regexp:/etc/postfix/spam_ip_regex,
> reject_unknown_reverse_client_hostname,
> reject_unauth_pipelining,
> reject_non_fqdn_recipient,
> reject_rbl_client zen.spamhaus.org
>
> which AFAIK, should reject inbound connections that do not have a
> reverse DNS entry.
postconf.5.html#reject_unknown_reverse_client_hostname
Reject the request when the client IP address has no address->name
mapping. This is a weaker restriction than the
reject_unknown_client_hostname feature, which requires not only that
the address->name and name->address mappings exist, but also that the
two mappings reproduce the client IP address.
In other words, reject only if there is no PTR for the client IP
address, and do not require forward confirmation of the PTR.
> However it doesn't seem to be consistant. I get a lot of these, for
> example;
>
> NOQUEUE: reject: RCPT from unknown[218.94.129.166]:
> 450 4.7.1 Client host rejected: cannot find your reverse hostname,
> [218.94.129.166]; from=<stev...@xuite.net> to=<te...@cnysupport.com>
> proto=ESMTP helo=<njgzwibm346.njgzw.org>
$ dig -x 218.94.129.166
[snip]
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 9248
> which are properly rejected, however I also get:
>
> NOQUEUE: reject: RCPT from unknown[202.70.195.135]:
> 554 5.7.1 Service unavailable; Client host [202.70.195.135] blocked
> using zen.spamhaus.org. To resolve this issue, please call CNY
> Support and ask that your IP address be whitelisted.;
> from=<fatiguelc...@sina.com.tw> to=<oneofmyus...@example.com>
> proto=ESMTP helo=<abc> lost connection after DATA (0 bytes) from
> unknown[202.70.195.135]
>
> Shouldn't this be rejected by reject_unknown_reverse_client_hostname
No.
$ dig -x 202.70.195.135
[snip]
135.195.70.202.in-addr.arpa. 86400 IN PTR
219-83-128-135.static.iolnetcom.com.
$ dig 219-83-128-135.static.iolnetcom.com.
[snip]
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47263
> instead of making it all the way to the zen.spamhaus.org RBL, or is
> the smtpd_delay_reject causing all the restrictions to execute before
> rejecting the message?
smtpd_delay_reject is not the issue. That just means that restrictions
wait until RCPT TO before being evaluated.
Happy holidays, spend them with your family, and then get back to
reading those Postfix docs. :)
--
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header
