On 7/20/2021 1:49 PM, [email protected] wrote:
Postfix queries the PTR hostname returned. For this query, it doesn't
matter if the client PTR and A record match FCrDNS.
If that is the case, then what is the difference between
reject_rhsbl_client and reject_rhsbl_reverse_client?
reject_rhsbl_client uses the FCrDNS hostname, which is also included
in the postfix logs.
reject_rhsbl_reverse_client uses the client PTR regardless of FCrDNS
confirmation. These clients may be labeled as "unknown" in postfix
logs. If the client has no PTR at all, there is no hostname to check
and the query is skipped.
If you are using smtpd_client_restrictions =
reject_unknown_client_hostname then reject_rhsbl_reverse_client
would never get used?
Only if the client is labeled "unknown". Known clients will still
be queried.
Still don't have my head around this one. The manual says
"unverified reverse client hostname". Isn't the PTR record
known/verified?
The hostname isn't verified until it passes the FCrDNS checks in
postfix. Once it's verified, the hostname is logged and is available
for use in various postfix hostname based restrictions.
If that is the case, then wouldn't the client have already been
rejected under reject_unknown_client_hostname?
Only if you use reject_unknown_client_hostname and you've specified
that check before the rbl check.
Warning: reject_unknown_client_hostname a very strict check known to
reject good mail, and is generally not recommended.
And if the client passed reject_unknown_client_hostname then the
hostname is known, so would reject_rhsbl_reverse_client even get
checked?
Of course it would. The client still has a reverse hostname. It
would be kinda silly to name it
reject_rhsbl_reverse_client_hostname_verified_or_unknown_as_long_as_the_client_has_any_ptr_whatsoever
Maybe you're confusing "known" with "verified".
Postfix generally uses "unknown" and "verified" to prevent
confusion. Postfix might know the PTR hostname lookup result, but it
considers it "unknown" until it's been verified with FCrDNS.
Or am i misunderstanding what "unverified reverse client hostname"
means?
Apparently yes.
Unverified PTR hostnames are easily forged, so postfix tries to warn
you (by the feature name) when you're using a potentially forged
hostname.
-- Noel Jones
