On 07-07-2021 5:31 pm, Richard wrote: If the "hostname has no DNS A ... record", i.e., the *hostname* presented on the HELO/EHLO doesn't resolve, then no IPnumber will be returned [to do anything with].
Yes, if the hostname has no DNS records then ofcourse it has no IP. But if the hostname DOES have DNS records, which is needed to pass the test, then postfix now has that IP. Logically since the work has been done to get that IP, it would be nothing for postfix to do a quick compare to know if the helo is valid or spoofed compared to the connecting client. The manual does not say it does, or does not, do anything with that IP, but it does say that it does get that IP, I just wanted to clarify. I didn't know i would get roasted this much for asking.
Now for just my two cents, not having any knowledge as to why things were designed they way they were, just as a stupid layman, im wondering what is the point of even checking for a valid DNS A or MX record if you aren't validating that information? What are you preventing if any mail server can make their HELO 'gmail.com'?
Is there a downside to having that extra check in postfix? Maybe adding "reject_mismatched_helo_client_ip"
