Re: Is reject_unknown_{reverse_}client_hostname safe?
Very handy postfix feature.. Mal On 8/04/2018 6:33 AM, Wietse Venema wrote: > > I have "warn_if_reject reject_unknown_reverse_client_hostname" to > test the waters, and I don't feel an urge to make that a hard reject.
Re: Is reject_unknown_{reverse_}client_hostname safe?
Daniele Nicolodi: > Hello, > > I have been using > > smtpd_relay_restrictions = > ... > reject_unknown_reverse_client_hostname All features like this can block legitimate email. There is no guarantee that someone won't break a good configuration, especially when MAIL, DNS, and FIREWALL are managed by different people. Yes, they might discover their mistake, but it is unlikely that they will resend bounced mail. I have "warn_if_reject reject_unknown_reverse_client_hostname" to test the waters, and I don't feel an urge to make that a hard reject. Generally I prefer to 'hold' suspect mail if there is a possibility of collateral damage. But that works only on a small scale. Wietse
Is reject_unknown_{reverse_}client_hostname safe?
Hello, I have been using smtpd_relay_restrictions = ... reject_unknown_reverse_client_hostname warn_if_reject reject_unknown_client_hostname ... for a long while in my configuration, where the warn_if_reject is there because I thought that the more strict check could have blocked some legitimate email. This has only blocked unsolicited email so far, but the other day I placed an order online and the confirmation email was blocked by the first of those rules. I solved adding an check_sender_access hash:/etc/postfix/sender-access and a specific rule for the specific MAIL FROM domain, and the mail came through at the next retry (sending server is well behaved). Grepping through the logs I found a few instances of seemingly legitimate mail delivery attempts with (source and destination addresses are related to services I use) but the sending server never retried after receiving the first 450 answer (email delivery service identifies itself with helo=). I probably don't want their emails. The question is: am I rejecting legitimate email with those settings? I thought that having correct reverse DNS settings is the only way to deliver mail to the usual suspects big email providers, and thus that all legitimate senders would adhere to the policy. Am I wrong in this assumption? Thanks for sharing your wisdom. Cheers, Daniele
