DevHeads.net

reject_unknown_client_hostname allowing slight mismatch

I have reject_unknown_client_hostname in smtpd_client_restrictions.
Some clients are able to pass this restriction with accompanying warning
when the hostname does not point to the IP address of the client. The
rDNS does point to the claimed hostname, which seems to be why Postfix
gives it a pass.

warning: hostname host.example.com does not resolve to address
111.222.333.444

$ dig +short -x 111.222.333.444
host.example.com

$ dig +short host.example.com
555.666.777.888

$ dig +short -x 555.666.777.888
host.example.com

The docs say "3) the name->address mapping does not match the client IP
address" so in this case shouldn't it be rejected?

PS - I had temporarily downgraded to use
reject_unknown_reverse_client_hostname instead, but am fairly sure I
removed this change and did a postfix reload before the most recent
incident. Could it just be a timing mishap? I have since done a full
restart to be sure.

Comments

Re: reject_unknown_client_hostname allowing slight mismatch

By Noel Jones at 07/13/2017 - 14:39

On 7/13/2017 2:26 PM, MRob wrote:
Yes.

I believe this feature to work exactly as documented.

If you believe otherwise, you'll need to provide evidence.
<a href="http://www.postfix.org/DEBUG_README.html#mail" title="http://www.postfix.org/DEBUG_README.html#mail">http://www.postfix.org/DEBUG_README.html#mail</a>

-- Noel Jones