Hi Noel, > On Jan 21, 2018, at 3:35 PM, Noel Jones <njo...@megan.vbhcs.org> >> smtpd_client_restrictions = permit_mynetworks, >> reject_unauth_pipelining, >> check_client_access hash:/etc/postfix/client_acl, >> reject_unknown_client_hostname, >> permit > > reject_unknown_client_hostname is likely to reject legit mail. Use > with caution. > > Consider instead using reject_unknown_reverse_client_hostname, which > rejects clients with no PTR record. This is similar to what many > large providers do and is fairly low risk.
Thank you for your feedback. Ok, I will move from: reject_unknown_client_hostname to: reject_unknown_reverse_client_hostname as I am looking to block senders that do not provide reverse DNS lookup. These usually show up in my logs with Postfix identifying their connecting IP address but a DNS value of “unknown”. > The "permit" at the end is unnecessary, but doesn't break anything. > Same with all the other "permit" in restrictions below Interesting. Ok, I had thought it was required. I think I may keep them, even though they’re redundant, as it seems to document the intent a bit better. >> smtpd_helo_required = yes >> smtpd_helo_restrictions = permit_mynetworks, >> reject_unauth_pipelining, >> reject_invalid_helo_hostname, >> reject_non_fqdn_helo_hostname, >> check_helo_access hash:/etc/postfix/helo_acl, >> reject_unknown_helo_hostname, >> permit > > reject_unknown_helo_hostname is likely to reject legit mail. Use > with caution. Ok, although I checked man 5 postconf again for the definition: “Reject the request when the HELO or EHLO hostname has no DNS A or MX record.” Is there ever a case where a legitimate mail sender would not have either an A (and I assume if it is an IPv6 sender an AAAA record), or a MX record ? The other way I had looked at it was that since the SMTP error code for this is 4xx, if it does reject a legitimate sender the sender would queue the message and try again. I would assume that not having A/AAAA or MX would be transient for a legitimate sender. - J
