reject_unknown_client_hostname allowing slight mismatch

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

reject_unknown_client_hostname allowing slight mismatch

mrobti
I have reject_unknown_client_hostname in smtpd_client_restrictions.  
Some clients are able to pass this restriction with accompanying warning
when the hostname does not point to the IP address of the client.  The
rDNS does point to the claimed hostname, which seems to be why Postfix
gives it a pass.

warning: hostname host.example.com does not resolve to address
111.222.333.444

$ dig +short -x 111.222.333.444
host.example.com

$ dig +short host.example.com
555.666.777.888

$ dig +short -x 555.666.777.888
host.example.com

The docs say "3) the name->address mapping does not match the client IP
address" so in this case shouldn't it be rejected?


PS - I had temporarily downgraded to use
reject_unknown_reverse_client_hostname instead, but am fairly sure I
removed this change and did a postfix reload before the most recent
incident.  Could it just be a timing mishap?  I have since done a full
restart to be sure.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: reject_unknown_client_hostname allowing slight mismatch

Noel Jones-2
On 7/13/2017 2:26 PM, MRob wrote:

> I have reject_unknown_client_hostname in smtpd_client_restrictions.
> Some clients are able to pass this restriction with accompanying
> warning when the hostname does not point to the IP address of the
> client.  The rDNS does point to the claimed hostname, which seems to
> be why Postfix gives it a pass.
>
> warning: hostname host.example.com does not resolve to address
> 111.222.333.444
>
> $ dig +short -x 111.222.333.444
> host.example.com
>
> $ dig +short host.example.com
> 555.666.777.888
>
> $ dig +short -x 555.666.777.888
> host.example.com
>
> The docs say "3) the name->address mapping does not match the client
> IP address" so in this case shouldn't it be rejected?
>

Yes.

>
> PS - I had temporarily downgraded to use
> reject_unknown_reverse_client_hostname instead, but am fairly sure I
> removed this change and did a postfix reload before the most recent
> incident.  Could it just be a timing mishap?  I have since done a
> full restart to be sure.

I believe this feature to work exactly as documented.

If you believe otherwise, you'll need to provide evidence.
http://www.postfix.org/DEBUG_README.html#mail



  -- Noel Jones
Loading...