On 6/28/17 3:18 PM, Wietse Venema wrote:
deoren:
On 6/28/17 1:32 PM, Wietse Venema wrote:
I suggest that you look at Postfix features that focus on 'unknown'
client names:
http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname
http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname
These descriptions also discuss permanent versus temporary errors.
Thank you for your reply.
I use the first restriction in my setup, but was surprised whenever a
check_client_access entry I added for a vendor's mail server (with an
'OK' result) still resulted in mail being rejected from that server's
"client name".
Yes, the text should be repeated in other places. There are about
seven check_client*access features, and only check_reverse_client_*
may use a client hostname that failed validation.
Thank you for noting that. I took another look at the documentation
(postconf.5.html) and I see where it notes the following for
check_reverse_client_hostname_access:
> unverified reverse client hostname, parent domains, client IP
address, or networks obtained by stripping least significant octets
Is this directive the equivalent of check_client_access, except that it
allows the use of an unverified DNS entry in the checks?
Is your answer a combination of multiple points, or is this statement
covered in more detail somewhere?
The two http links point to the instances of the text that I was
able to find quickly. There may be other instances: I did not have
time for an exhaustive search.
> For security reasons Postfix does not allow you to whitelist a
client hostname with incorrect PTR/A DNS records
Is that a question?
No, sorry, I was attempting to quote your answer to another thread on
this mailing list. There a similar question was raised and you gave that
answer. Viktor's response on another thread was very similar to yours.
While both answers were direct and covered the specific details spot on,
I failed to locate those specific details in the documentation. I
believe its there, but either I'm overlooking it (likely), or the
information needed to come to the same understanding as the answers that
you both gave is spread thinly across applicable directives instead of
specified in such a direct manner for the specific directives.
For example, when looking at the check_client_access directive I had no
idea that it would not apply hostname checks to a remote client that
fails either of PTR or A verification checks. It makes sense that it
refuses to honor the value, but I didn't see it clearly noted anywhere.
I mean no insult, I'm just trying to wrap my head around this and want
to read further about the various verification checks that Postfix
applies. If the documentation wasn't already covering this specific case
in explicit detail, I was going to look into how to go about
contributing a patch to the documentation so that it would be covered.
I'm not really qualified to speak authoritatively on the subject, but I
could make provide minor tweaks that someone else could cleanup for
final commit.
Thank you for your time.
