Am 12.03.2014 12:58, schrieb tejas sarade: >> how should that be possible? >> the hostname the client pretends? >> how could you trust that? >> how could you trust any hostname? >> there is nothing else trustable than the connecting real IP > > No. Not the hostname that client pretends, I am talking > about valid DNS A record throuch DNS lookup.
how do you imagine that please read how DNS works in case of a connecting IP you have no A-Record A = translate name to IP and not the other way PTR = IP to name and controlled by the DNS responsible for the network range >> frankly you must even not make relay decisions based on a >> static PTR because i can add any PTR i like in my own DNS >> server which is authoritative for my in-addr.arpa zone > > I am not running my own DNS server does not matter, i do and if i know what hostname you like to see i greet yoi with that in EHLO and set my PTR to that name >> the same way you can nobody stop make a valid PTR record >> you like to see on your side for grant relay permissions > > I just want to creat and access control system where I will > provide the list of valid hostname(FQDN). Postfix will lookup > the IP of that FQDN through public DNS and consider that > IP as trusted IP that does not work - postfix can only query the PTR and at best than verify that the PTR to a IP matchs the A-record but that also means if doing so you maust *always* make sure that your dynamic IP becomes the correct in-addr.arpa PTR please understand that you must not make relay decisions based on hostnames - the only harmless decisions are rejects based on that but never for opening a spam door
