[CentOS] postfix - reject of incoming mail due to helo check??
Kai Schaetzl
maillists at conactive.com
Fri Feb 3 11:21:28 UTC 2012
Rob Kampen wrote on Fri, 03 Feb 2012 10:08:09 +1300:
> My confusion is that a reverse lookup of the IP gives me the clients
> domain (dropping the mail(x) subdomain) thus I assumed it was the helo
> domain name - which does not have rDNS - that was causing the reject -
> maybe it was just a timing error.
No, it wasn't, read the explanation of this check, see below. You may want
to use reject_unknown_reverse_client_hostname instead. Actually, I've not
been aware until now that it does more than checking the rDNS (or I had
forgotten it in the meantime and had to be reminded :-).
reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client)
Reject the request when 1) the client IP address->name mapping fails, 2)
the name->address mapping fails, or 3) the name->address mapping does not
match the client IP address.
This is a stronger restriction than the
reject_unknown_reverse_client_hostname feature, which triggers only under
condition 1) above.
http://www.postfix.org/postconf.5.html
> Final question for the list - does anyone use "reject_unknown_client" -
> it has given me the most grief with legitimate clients that have poorly
> administered domains.
I've been using the reject_unknown_client_hostname restriction on my own
server(s) for years with no problems. But I'm not using it on client's
servers. Looks like one day I knew what it does ;-) I think
reject_unknown_client_hostname is a good restriction, but you may get too
many "false" positives. There is no definitive RFC requirement that the
mapping has to match.
That's different for the simple rDNS lookup. I think it's defined in
several RFCs (at least by loose interpretation) and also explained in
every "mail server setup howto" and on Wikipedia. I usually point
clients/admins to such a source and after a (not so long) while the sender
mysteriously manages to have rDNS set up by his provider ... So, I would
certainly recommend trying the less restrictive
reject_unknown_reverse_client_hostname . As you pointed out lots of bots
don't have rDNS, so they get rejected by this very effectively. And the
false positive ratio is very low. Certainly lower for me than Sorbs (threw
out Sorbs years ago).
Kai
More information about the CentOS
mailing list