 MTA Restrictions
Protocol checks
Hostname in greeting violates RFC (reject_invalid_hostname)
Client must greet with a fully qualified hostname (reject_non_fqdn_hostname)
Sender address must be fully qualified (reject_non_fqdn_sender)
DNS checks
Client's IP address (reject_unknown_client)
Hostname in greeting (reject_unknown_hostname)
Sender's domain (reject_unknown_sender_domain)
I've tried enabling them all and got complaints from employees not able to receive emails from sites where companies/ISPs had badly misconfigured servers. I have some RBLs configured and that's keeping most SPAM at bay but being able to reject more of it before the expense of all those DNS queries would still make me feel better. What is anyone else's experience with these? Which of these checks do you feel safe enabling and have a good track record of them not blocking legit connections?
I watched logs just now for a few minutes and the quantity of connections from IPs without proper reverse DNS is amazing.
Jul 22 11:08:04 freemail postfix/smtpd[26071]: connect from unknown[88.233.37.167]
Jul 22 11:08:14 freemail postfix/smtpd[21906]: connect from unknown[121.182.227.88]
Jul 22 11:08:35 freemail postfix/smtpd[25985]: connect from unknown[66.48.81.131]
Jul 22 11:08:53 freemail postfix/smtpd[25985]: connect from unknown[94.23.106.58]
Jul 22 11:09:02 freemail postfix/smtpd[26071]: connect from unknown[69.167.1.119]
Jul 22 11:09:02 freemail postfix/smtpd[21906]: connect from unknown[209.249.71.139]
Jul 22 11:09:05 freemail postfix/smtpd[25985]: connect from unknown[95.158.236.112]
I am assuming reject_unknown_client is what would block just those? Is there a good explanation somewhere of what each of those rules does?
Thanks...  | 
Bugzilla
Wiki
Source
Linear Mode
