Noel Jones schrieb: > Robert Schetterer wrote: >> Hi, >> some nets have >> set their ptr records to localhost >> this causes problems to several mailservers >> i see no problems at mine but >> just asked to clear >> >> dig -x 123.27.178.4 >> >> ; <<>> DiG 9.3.5-P1 <<>> -x 123.27.178.4 >> ;; global options: printcmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46689 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 >> >> ;; QUESTION SECTION: >> ;4.178.27.123.in-addr.arpa. IN PTR >> >> ;; ANSWER SECTION: >> 4.178.27.123.in-addr.arpa. 86266 IN PTR localhost. >> >> i only get warnings ( like ever ) >> >> Aug 6 15:04:31 mxback postfix/smtpd[30131]: warning: 123.27.178.4: >> address not listed for hostname localhost >> Aug 6 15:04:31 mxback postfix/smtpd[30131]: connect from >> unknown[123.27.178.4] >> >> >> is this a hard coded match ( ptrs to localhost are resolved unknown? ) >> so i.e reject_unknown_reverse_client_hostname >> will reject it ever ? >> >> after all this was warned by german heise pc magazin >> http://www.heise.de/newsticker/Namens-Trick-oeffnet-Mailserver--/meldung/143123 >> > > reject_unknown_reverse_client_hostname only checks for the existence of > a PTR, so it won't reject such clients. > Postfix will label a PTR of "localhost" as unknown unless it really > comes from localhost. This is the normal IP->PTR->IP validation postfix > does on client hostnames. > http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname > > A PTR of localhost shouldn't cause any problems for postfix, but you > very likely don't want the mail. > > You can reject such clients with a check_reverse_client_hostname access > table. Make sure this is after permit_mynetworks so you don't reject > the "real" localhost. > http://www.postfix.org/postconf.5.html#check_reverse_client_hostname_access > # some table > localhost REJECT you're not localhost > > You can also use check_sender_mx_access to reject spammers that set > their MX to "localhost". > http://www.postfix.org/postconf.5.html#check_sender_mx_access > > Like most rules, this has the possibility to reject legit mail from > misconfigured hosts, but I expect that to be pretty rare. In > particular, I've seen some legit idiots that include "localhost" in > their MX list. > > -- Noel Jones
Thx Noel, for clearing special for http://www.postfix.org/postconf.5.html#check_reverse_client_hostname_access missed this new parameter in 2.6 i will use it -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
