On 05/31/2012 10:35 AM, Craig White wrote: > On May 31, 2012, at 6:09 AM, Bob Hoffman wrote: > >> Not technically a centos question, but a lot of you guys seem to manage >> some large systems >> and I could use some clarification on a postfix setting.* >> >> *reject_unknown_client_hostname >> (in postfix < 2.3 reject_unknown_client) >> >> When I first used this there were issues with users trying to send mail >> through the server >> from hotels, wireless spots, etc. This was solved by pushing up permit >> sasl_authenticated. >> >> I took it out after those issues. I read many online posts from 2008 >> saying too many >> false positives. (though none were clear if those were incoming mail or >> from mail users) >> >> Do you use reject_unknown_client_hostname? >> >> Other than someone trying to access the server to send mail through it >> as a user I do >> not see how this could be a bad setting and am thinking of using it. >> A person sending out a mail to the server, even if in that badly set up >> hotel wireless >> should be using their gmail, yahoo, own server, isp mail servers and >> should not >> be directly sending from their iphone....is that correct? >> >> or do you ignore the use of this setting still? >> >> -thanks for any updates on the use of this setting. > ---- > if the goal is to minimize spam then this is a really good option as it duplicates methodologies employed by a lot of the large e-mail providers (ie, AOL) which require both the forward and reverse addresses to resolve. > > Requiring someone to authenticate to a known SMTP host is reasonable and prudent - and I would agree that the senders should be using a registered SPF (sender permitted from) SMTP host for forwarding their outgoing e-mails. > > Craig > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos Yes, I second this. No legitimate mail users today expect to send email directly from a mobile device or even a home broadband connection. Any mail server that allows incoming email directly from end users is going to get bombarded with spam. In recent years, most mailserver administrators know that they have to setup proper DNS as well. Disallowing mailservers without proper DNS stops massive amounts of spam, and lately I hardly ever have to add exceptions for this anymore. I run a mail server for a good number of users and I run with this: This one is very reliable and will reject a good many broadband/dialup connections Under smtpd_client_restrictions: reject_rbl_client pbl.spamhaus.org reject_unknown_client_hostname unknown_client_reject_code = 550 I just don't get alot of complaints from users anymore, running with these. This will of coarse depend heavily on your user base and who they exchange email with. You might also look at postscreen. I've heard really good things about it, though I haven't had time to set it up yet. Nataraj