deoren: > Hi, > > I've read over several threads here in the mailing list archives and > have found authoritative answers from Viktor and Wietse re how Postfix > treats unverified PTR/A DNS records in relation to check_*_access > checks, but I believe I am overlooking where this is explicitly covered > in the documentation. > > > Viktor: > > > Postfix does not use unverified PTR records in access checks > that can return "OK", that would be a major security hole. > > > > Anyone can set their PTR records to point to any name of their > choice, but they cannot as easily get the owner of that name > to confirm that the original IP address is theirs. > > Wietse: > > > For security reasons Postfix does not allow you to whitelist a client > hostname with incorrect PTR/A DNS records. Not even when you use > check_reverse_client_hostname_access instead of check_client_access. > > If you must whitelist, use the IP address. > > I've focused specifically on these pages/areas, though I've wandered > from there onto other related pages in my search:
I suggest that you look at Postfix features that focus on 'unknown' client names: http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname These descriptions also discuss permanent versus temporary errors. Wietse
