Re: forward DNS lookups in $mynetworks or check_client_access

To: postfix-users@xxxxxxxxxxx
Subject: Re: forward DNS lookups in $mynetworks or check_client_access
From: /dev/rob0 <rob0@xxxxxxxxx>
Date: Mon, 4 Oct 2004 08:00:41 -0500
Delivered-to: zerbey@xxxxxxxxxxxxxx
Delivered-to: postfix-users-outgoing@xxxxxxxxxx
Delivered-to: postfix-users@xxxxxxxxxx
In-reply-to: <20041004080633.GP27297@xxxxxxxxxxxxxxxx>
List-help: <http://www.postfix.org/lists.html>
List-post: <mailto:postfix-users@postfix.org>
List-subscribe: <mailto:majordomo@postfix.org>
List-unsubscribe: <mailto:majordomo@postfix.org>
Organization: poor
References: <200410032349.06010.rob0@xxxxxxxxx> <20041004080633.GP27297@xxxxxxxxxxxxxxxx>
Sender: owner-postfix-users@xxxxxxxxxxx
User-agent: KMail/1.6.2

On Monday 04 October 2004 03:06, Magnus Bäck wrote:
> I hope you're not setting up a dynamic DNS service for relaying
> purposes only.

I set up DDNS quite some time ago, for DDNS purposes. :)

> > But my experimentation (hash lookup and direct file inclusion)
> > indicates that only the IP and the reverse DNS name is checked
> > against $mynetworks.
> >
> > Is the same true of check_client_access?
>
> No. Read access(5).

What, then, am I missing? I have read access(5) and I just tried adding 
"check_client_access hash:/etc/postfix/relay_hosts" right after the 
"permit_mynetworks" in smtpd_recipient_restrictions. That file contains 
this line:
    ark.1984.lan	OK
and in my internal DNS that resolves:
    $ host ark
    ark.1984.lan has address x.x.224.226
(a real IP, not in $mynetworks.) After "postfix reload" I went to that 
machine and telnet'ed:
...
mail from: <rob0@xxxxxxxxxxxxxxxxxxx>
250 Ok
rcpt to: rob@xxxxxxxxx
554 <rob@xxxxxxxxx>: Relay access denied
...
Logged:
Oct  4 07:19:36 please postfix/smtpd[19056]: NOQUEUE: reject: RCPT from
    x-x-224-226.rdns[x.x.224.226]: 554 <rob@xxxxxxxxx>: Relay access
    denied; from=<rob@xxxxxxxxxxxxxxxxxxx> to=<rob@xxxxxxxxx>
    proto=SMTP helo=<ark>

ISTM that only the ISP's reverse DNS was checked against the access 
table. Adding THAT string to my access table, "postmap relay_hosts", 
and trying again, it worked.

access(5):
...
DESCRIPTION
       The  optional access table directs the Postfix SMTP server
       to selectively  reject  or  accept  mail.  Access  can  be
       allowed  or  denied for specific host names, domain names,
       networks, host network addresses or mail addresses.
...
HOST NAME/ADDRESS PATTERNS
       With lookups from indexed files such as DB or DBM, or from
       networked  tables  such as NIS, LDAP or SQL, the following
       lookup patterns are examined in the order as listed:

       domain.tld
              Matches domain.tld.
...

This does not say how the DNS resolution is done. My testing indicates 
that it's done in the same way as in $mynetworks, only acting on the 
hostname returned from the reverse DNS lookup.

Can postfix natively look up a record in forward DNS and apply access 
rules to the resulting IP address? If so I don't see how.
-- 
    mail to this address is discarded unless "/dev/rob0"
    or "not-spam" is in Subject: header

Follow-Ups:
- Re: forward DNS lookups in $mynetworks or check_client_access
  - From: Magnus Bäck

References:
- forward DNS lookups in $mynetworks or check_client_access
  - From: /dev/rob0
- Re: forward DNS lookups in $mynetworks or check_client_access
  - From: Magnus Bäck

Prev by Date: Re: mailq filling up
Next by Date: Re: 2 instances of postfix and mailq
Previous by thread: Re: forward DNS lookups in $mynetworks or check_client_access
Next by thread: Re: forward DNS lookups in $mynetworks or check_client_access
Index(es):
- Date
- Thread