Is reject_unknown_{reverse_}client_hostname safe?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Is reject_unknown_{reverse_}client_hostname safe?

Daniele Nicolodi
Hello,

I have been using

smtpd_relay_restrictions =
  ...
  reject_unknown_reverse_client_hostname
  warn_if_reject reject_unknown_client_hostname
  ...

for a long while in my configuration, where the warn_if_reject is there
because I thought that the more strict check could have blocked some
legitimate email.  This has only blocked unsolicited email so far, but
the other day I placed an order online and the confirmation email was
blocked by the first of those rules.

I solved adding an

  check_sender_access hash:/etc/postfix/sender-access

and a specific rule for the specific MAIL FROM domain, and the mail came
through at the next retry (sending server is well behaved).  Grepping
through the logs I found a few instances of seemingly legitimate mail
delivery attempts with (source and destination addresses are related to
services I use) but the sending server never retried after receiving the
first 450 answer (email delivery service identifies itself with
helo=<engage-mailer.com>). I probably don't want their emails.

The question is: am I rejecting legitimate email with those settings?  I
thought that having correct reverse DNS settings is the only way to
deliver mail to the usual suspects big email providers, and thus that
all legitimate senders would adhere to the policy.  Am I wrong in this
assumption?

Thanks for sharing your wisdom.

Cheers,
Daniele
Reply | Threaded
Open this post in threaded view
|

Re: Is reject_unknown_{reverse_}client_hostname safe?

Wietse Venema
Daniele Nicolodi:
> Hello,
>
> I have been using
>
> smtpd_relay_restrictions =
>   ...
>   reject_unknown_reverse_client_hostname

All features like this can block legitimate email.  There is no
guarantee that someone won't break a good configuration, especially
when MAIL, DNS, and FIREWALL are managed by different people. Yes,
they might discover their mistake, but it is unlikely that they
will resend bounced mail.

I have "warn_if_reject reject_unknown_reverse_client_hostname" to
test the waters, and I don't feel an urge to make that a hard reject.
Generally I prefer to 'hold' suspect mail if there is a possibility
of collateral damage. But that works only on a small scale.

        Wietse
Mal
Reply | Threaded
Open this post in threaded view
|

Re: Is reject_unknown_{reverse_}client_hostname safe?

Mal

Very handy postfix feature..

Mal



On 8/04/2018 6:33 AM, Wietse Venema wrote:
>
> I have "warn_if_reject reject_unknown_reverse_client_hostname" to
> test the waters, and I don't feel an urge to make that a hard reject.