Loading ...
Sorry, an error occurred while loading the content.
 

Reverse DNS Rejection Problem

Expand Messages
  • Dennis Putnam
    I have my Postfix configured to require proper DNS resolution in both directions. However, I have a situation that is giving me problems perhaps due to
    Message 1 of 30 , Oct 27, 2009
      I have my Postfix configured to require proper DNS resolution in both
      directions. However, I have a situation that is giving me problems
      perhaps due to multiple PTR records for the IP address. I am getting
      the error:

      450 Client host rejected: cannot find your hostname

      When I 'dig' the hostname the IP address matches that of the server
      making contact with my Postfix. When I 'dig -x' that same IP address,
      among the many PTR records, the hostname used in the 'HELO' matches.
      The from doesn't match but that is not what it is comparing, right?

      Can someone tell me what might get going on here? I am running version
      2.1.5 so perhaps that is part of the problem.

      Thanks.

      Dennis Putnam
      Sr. IT Systems Administrator
      AIM Systems, Inc.
      11675 Rainwater Dr., Suite 200
      Alpharetta, GA 30009
      Phone: 678-240-4112
      Main Phone: 678-297-0700
      FAX: 678-297-2666 or 770-576-1000
      The information contained in this e-mail and any attachments is
      strictly confidential. If you are not the intended recipient, any use,
      dissemination, distribution, or duplication of any part of this e-mail
      or any attachment is prohibited. If you are not the intended
      recipient, please notify the sender by return e-mail and delete all
      copies, including the attachments.
    • Wietse Venema
      ... Postfix takes the first hostname that is returned by the getnameinfo() system library function. If that first name does not resolve to the client IP
      Message 2 of 30 , Oct 27, 2009
        Dennis Putnam:
        > I have my Postfix configured to require proper DNS resolution in both
        > directions. However, I have a situation that is giving me problems
        > perhaps due to multiple PTR records for the IP address. I am getting
        > the error:
        >
        > 450 Client host rejected: cannot find your hostname
        >
        > When I 'dig' the hostname the IP address matches that of the server
        > making contact with my Postfix. When I 'dig -x' that same IP address,
        > among the many PTR records, the hostname used in the 'HELO' matches.
        > The from doesn't match but that is not what it is comparing, right?
        >
        > Can someone tell me what might get going on here? I am running version
        > 2.1.5 so perhaps that is part of the problem.

        Postfix takes the first hostname that is returned by the getnameinfo()
        system library function. If that first name does not resolve to
        the client IP address, then Postfix will not try the the second
        etc, name.

        Wietse
      • Charles Marcus
        ... Per the welcome message you received when you joined the list: TO REPORT A PROBLEM see: http://www.postfix.org/DEBUG_README.html#mail At a minimum, postfix
        Message 3 of 30 , Oct 27, 2009
          On 10/27/2009, Dennis Putnam (dennis.putnam@...) wrote:
          > I have my Postfix configured to require proper DNS resolution in both
          > directions. However, I have a situation that is giving me problems
          > perhaps due to multiple PTR records for the IP address. I am getting the
          > error:
          >
          > 450 Client host rejected: cannot find your hostname

          Per the welcome message you received when you joined the list:

          TO REPORT A PROBLEM see:
          http://www.postfix.org/DEBUG_README.html#mail

          At a minimum, postfix version and output of postconf -n should be
          provided...

          > Can someone tell me what might get going on here? I am running
          > version 2.1.5 so perhaps that is part of the problem.

          Its a problem, for sure, but maybe not the cause of *this* problem.

          Upograding is most definitely in order, regardless...

          > 11675 Rainwater Dr., Suite 200
          > Alpharetta, GA 30009

          Howdy neighbor... I'm in Alpharetta too (Old Milton & 400)... :)

          --

          Best regards,

          Charles
        • Dennis Putnam
          Thanks or the reply. That sucks. Is there a way around this, short of turning that off or whitelisting? ... Dennis Putnam Sr. IT Systems Administrator AIM
          Message 4 of 30 , Oct 27, 2009
            Thanks or the reply. That sucks. Is there a way around this, short of
            turning that off or whitelisting?

            On Oct 27, 2009, at 11:34 AM, Wietse Venema wrote:

            > Dennis Putnam:
            >> I have my Postfix configured to require proper DNS resolution in both
            >> directions. However, I have a situation that is giving me problems
            >> perhaps due to multiple PTR records for the IP address. I am getting
            >> the error:
            >>
            >> 450 Client host rejected: cannot find your hostname
            >>
            >> When I 'dig' the hostname the IP address matches that of the server
            >> making contact with my Postfix. When I 'dig -x' that same IP address,
            >> among the many PTR records, the hostname used in the 'HELO' matches.
            >> The from doesn't match but that is not what it is comparing, right?
            >>
            >> Can someone tell me what might get going on here? I am running
            >> version
            >> 2.1.5 so perhaps that is part of the problem.
            >
            > Postfix takes the first hostname that is returned by the getnameinfo()
            > system library function. If that first name does not resolve to
            > the client IP address, then Postfix will not try the the second
            > etc, name.
            >
            > Wietse
            >



            Dennis Putnam
            Sr. IT Systems Administrator
            AIM Systems, Inc.
            11675 Rainwater Dr., Suite 200
            Alpharetta, GA 30009
            Phone: 678-240-4112
            Main Phone: 678-297-0700
            FAX: 678-297-2666 or 770-576-1000
            The information contained in this e-mail and any attachments is
            strictly confidential. If you are not the intended recipient, any use,
            dissemination, distribution, or duplication of any part of this e-mail
            or any attachment is prohibited. If you are not the intended
            recipient, please notify the sender by return e-mail and delete all
            copies, including the attachments.
          • Victor Duchovni
            ... Don t use reject_unknown_client uncondionally. Use it selectively in a check_client_access cidr:/etc/postfix/client_access.cidr rule that subjects
            Message 5 of 30 , Oct 27, 2009
              On Tue, Oct 27, 2009 at 01:14:05PM -0400, Dennis Putnam wrote:

              > Thanks or the reply. That sucks. Is there a way around this, short of
              > turning that off or whitelisting?

              Don't use "reject_unknown_client" uncondionally. Use it selectively
              in a

              check_client_access cidr:/etc/postfix/client_access.cidr

              rule that subjects "high-value" CIDR blocks (lots of junk with no
              reverse mappings in a block, with some legit clients "mixed-in"
              whose PTRs are valid), for example:

              192.0.2.0/24 reject_unknown_client

              --
              Viktor.

              Disclaimer: off-list followups get on-list replies or get ignored.
              Please do not ignore the "Reply-To" header.

              To unsubscribe from the postfix-users list, visit
              http://www.postfix.org/lists.html or click the link below:
              <mailto:majordomo@...?body=unsubscribe%20postfix-users>

              If my response solves your problem, the best way to thank me is to not
              send an "it worked, thanks" follow-up. If you must respond, please put
              "It worked, thanks" in the "Subject" so I can delete these quickly.
            • Dennis Putnam
              That is not much different than whitelisting, right? I still have to maintain a list of permitted networks, do I not? ... Dennis Putnam Sr. IT Systems
              Message 6 of 30 , Oct 27, 2009
                That is not much different than whitelisting, right? I still have to
                maintain a list of permitted networks, do I not?

                On Oct 27, 2009, at 1:24 PM, Victor Duchovni wrote:

                > On Tue, Oct 27, 2009 at 01:14:05PM -0400, Dennis Putnam wrote:
                >
                >> Thanks or the reply. That sucks. Is there a way around this, short of
                >> turning that off or whitelisting?
                >
                > Don't use "reject_unknown_client" uncondionally. Use it selectively
                > in a
                >
                > check_client_access cidr:/etc/postfix/client_access.cidr
                >
                > rule that subjects "high-value" CIDR blocks (lots of junk with no
                > reverse mappings in a block, with some legit clients "mixed-in"
                > whose PTRs are valid), for example:
                >
                > 192.0.2.0/24 reject_unknown_client
                >
                > --
                > Viktor.
                >
                > Disclaimer: off-list followups get on-list replies or get ignored.
                > Please do not ignore the "Reply-To" header.
                >
                > To unsubscribe from the postfix-users list, visit
                > http://www.postfix.org/lists.html or click the link below:
                > <mailto:majordomo@...?body=unsubscribe%20postfix-users>
                >
                > If my response solves your problem, the best way to thank me is to not
                > send an "it worked, thanks" follow-up. If you must respond, please put
                > "It worked, thanks" in the "Subject" so I can delete these quickly.
                >



                Dennis Putnam
                Sr. IT Systems Administrator
                AIM Systems, Inc.
                11675 Rainwater Dr., Suite 200
                Alpharetta, GA 30009
                Phone: 678-240-4112
                Main Phone: 678-297-0700
                FAX: 678-297-2666 or 770-576-1000
                The information contained in this e-mail and any attachments is
                strictly confidential. If you are not the intended recipient, any use,
                dissemination, distribution, or duplication of any part of this e-mail
                or any attachment is prohibited. If you are not the intended
                recipient, please notify the sender by return e-mail and delete all
                copies, including the attachments.
              • Phillip Smith
                2009/10/28 Dennis Putnam ... Tell the admin of the remote domain to fix their PTR records and/or MX helo configuration because in
                Message 7 of 30 , Oct 27, 2009
                  2009/10/28 Dennis Putnam <dennis.putnam@...>
                  Thanks or the reply. That sucks. Is there a way around this, short of turning that off or whitelisting?

                  Tell the admin of the remote domain to fix their PTR records and/or MX helo configuration because in the meantime, you're going to have to implement a dirty hack to make their server work.
                • Dennis Putnam
                  It is beginning to appear this is my only alternative. However, maintaining a whilelist will require some special approvals by our security auditors. In any
                  Message 8 of 30 , Oct 28, 2009
                    It is beginning to appear this is my only alternative. However,
                    maintaining a whilelist will require some special approvals by our
                    security auditors. In any case, assuming I can get approval, is the
                    syntax for this the same as the other hash files (ie. IP address
                    followed by REJECT, OK, etc.)? Also, how do I set the default to be
                    reject? My best hope for approval is to only need to add exceptions.
                    Thanks.

                    On Oct 27, 2009, at 1:24 PM, Victor Duchovni wrote:

                    > On Tue, Oct 27, 2009 at 01:14:05PM -0400, Dennis Putnam wrote:
                    >
                    >> Thanks or the reply. That sucks. Is there a way around this, short of
                    >> turning that off or whitelisting?
                    >
                    > Don't use "reject_unknown_client" uncondionally. Use it selectively
                    > in a
                    >
                    > check_client_access cidr:/etc/postfix/client_access.cidr
                    >
                    > rule that subjects "high-value" CIDR blocks (lots of junk with no
                    > reverse mappings in a block, with some legit clients "mixed-in"
                    > whose PTRs are valid), for example:
                    >
                    > 192.0.2.0/24 reject_unknown_client
                    >
                    > --
                    > Viktor.
                    >
                    > Disclaimer: off-list followups get on-list replies or get ignored.
                    > Please do not ignore the "Reply-To" header.
                    >
                    > To unsubscribe from the postfix-users list, visit
                    > http://www.postfix.org/lists.html or click the link below:
                    > <mailto:majordomo@...?body=unsubscribe%20postfix-users>
                    >
                    > If my response solves your problem, the best way to thank me is to not
                    > send an "it worked, thanks" follow-up. If you must respond, please put
                    > "It worked, thanks" in the "Subject" so I can delete these quickly.
                    >



                    Dennis Putnam
                    Sr. IT Systems Administrator
                    AIM Systems, Inc.
                    11675 Rainwater Dr., Suite 200
                    Alpharetta, GA 30009
                    Phone: 678-240-4112
                    Main Phone: 678-297-0700
                    FAX: 678-297-2666 or 770-576-1000
                    The information contained in this e-mail and any attachments is
                    strictly confidential. If you are not the intended recipient, any use,
                    dissemination, distribution, or duplication of any part of this e-mail
                    or any attachment is prohibited. If you are not the intended
                    recipient, please notify the sender by return e-mail and delete all
                    copies, including the attachments.
                  • Wietse Venema
                    ... I suggest using a CIDR table. These tables are read sequentially, and the first matching pattern wins. The following makes exceptions for two networks and
                    Message 9 of 30 , Oct 28, 2009
                      Dennis Putnam:
                      > It is beginning to appear this is my only alternative. However,
                      > maintaining a whilelist will require some special approvals by our
                      > security auditors. In any case, assuming I can get approval, is the
                      > syntax for this the same as the other hash files (ie. IP address
                      > followed by REJECT, OK, etc.)? Also, how do I set the default to be
                      > reject? My best hope for approval is to only need to add exceptions.

                      I suggest using a CIDR table. These tables are read sequentially,
                      and the first matching pattern wins. The following makes exceptions
                      for two networks and applies reject_unknown_client for everyone else.

                      /etc/postfix/main.cf:
                      smtpd_???_restrictions =
                      ...
                      check_client_access pcre:/etc/postfix/client_access.pcre
                      ...

                      /etc/postfix/client_access.pcre:
                      1.2.3.0/24 dunno
                      5.6.7.0/24 dunno
                      0.0.0.0/0 reject_unknown_client

                      The syntax of the left-hand side is in the cidr_table(5) manpage
                      (man 5 cidr_table). The syntax of the right-hand side is in the
                      access(5) manpage (man 5 access).

                      The real problem is that the DNS gives out (some or all) bad PTR
                      records for this client IP address.

                      Wietse
                    • Dennis Putnam
                      Thanks for the reply. It appears this is not supported with my version of Postfix (2.1.5). When I try this syntax: smtpd_helo_restrictions =
                      Message 10 of 30 , Oct 28, 2009
                        Thanks for the reply. It appears this is not supported with my version
                        of Postfix (2.1.5). When I try this syntax:

                        smtpd_helo_restrictions =
                        check_client_access pcre:/etc/postfix/heloaccept.pcre

                        I get this error:

                        fatal: unsupported dictionary type: pcre

                        On Oct 28, 2009, at 8:16 AM, Wietse Venema wrote:

                        > Dennis Putnam:
                        >> It is beginning to appear this is my only alternative. However,
                        >> maintaining a whilelist will require some special approvals by our
                        >> security auditors. In any case, assuming I can get approval, is the
                        >> syntax for this the same as the other hash files (ie. IP address
                        >> followed by REJECT, OK, etc.)? Also, how do I set the default to be
                        >> reject? My best hope for approval is to only need to add exceptions.
                        >
                        > I suggest using a CIDR table. These tables are read sequentially,
                        > and the first matching pattern wins. The following makes exceptions
                        > for two networks and applies reject_unknown_client for everyone else.
                        >
                        > /etc/postfix/main.cf:
                        > smtpd_???_restrictions =
                        > ...
                        > check_client_access pcre:/etc/postfix/client_access.pcre
                        > ...
                        >
                        > /etc/postfix/client_access.pcre:
                        > 1.2.3.0/24 dunno
                        > 5.6.7.0/24 dunno
                        > 0.0.0.0/0 reject_unknown_client
                        >
                        > The syntax of the left-hand side is in the cidr_table(5) manpage
                        > (man 5 cidr_table). The syntax of the right-hand side is in the
                        > access(5) manpage (man 5 access).
                        >
                        > The real problem is that the DNS gives out (some or all) bad PTR
                        > records for this client IP address.
                        >
                        > Wietse
                        >



                        Dennis Putnam
                        Sr. IT Systems Administrator
                        AIM Systems, Inc.
                        11675 Rainwater Dr., Suite 200
                        Alpharetta, GA 30009
                        Phone: 678-240-4112
                        Main Phone: 678-297-0700
                        FAX: 678-297-2666 or 770-576-1000
                        The information contained in this e-mail and any attachments is
                        strictly confidential. If you are not the intended recipient, any use,
                        dissemination, distribution, or duplication of any part of this e-mail
                        or any attachment is prohibited. If you are not the intended
                        recipient, please notify the sender by return e-mail and delete all
                        copies, including the attachments.
                      • Mikael Bak
                        ... On a Debian type system this is packaged separately: # apt-cache search postfix [snip] postfix - High-performance mail transport agent postfix-cdb - CDB
                        Message 11 of 30 , Oct 28, 2009
                          Dennis Putnam wrote:
                          > Thanks for the reply. It appears this is not supported with my version
                          > of Postfix (2.1.5). When I try this syntax:
                          >
                          > smtpd_helo_restrictions =
                          > check_client_access pcre:/etc/postfix/heloaccept.pcre
                          >
                          > I get this error:
                          >
                          > fatal: unsupported dictionary type: pcre
                          >

                          On a Debian type system this is packaged separately:

                          # apt-cache search postfix
                          [snip]
                          postfix - High-performance mail transport agent
                          postfix-cdb - CDB map support for Postfix
                          postfix-dev - Loadable modules development environment for Postfix
                          postfix-doc - Documentation for Postfix
                          postfix-gld - greylisting daemon for postfix, written in C, uses MySQL
                          postfix-ldap - LDAP map support for Postfix
                          postfix-mysql - MySQL map support for Postfix
                          postfix-pcre - PCRE map support for Postfix
                          postfix-pgsql - PostgreSQL map support for Postfix
                          [snip]

                          I guess you should install the missing package on your system.

                          HTH,
                          Mikael
                        • Wietse Venema
                          ... Sorry. pcre should be cidr everywhere in my reply. Some neurons got crossed. Wietse
                          Message 12 of 30 , Oct 28, 2009
                            Dennis Putnam:
                            > Thanks for the reply. It appears this is not supported with my version
                            > of Postfix (2.1.5). When I try this syntax:
                            >
                            > smtpd_helo_restrictions =
                            > check_client_access pcre:/etc/postfix/heloaccept.pcre

                            Sorry. "pcre" should be "cidr" everywhere in my reply. Some neurons
                            got crossed.

                            Wietse

                            > I get this error:
                            >
                            > fatal: unsupported dictionary type: pcre
                            >
                            > On Oct 28, 2009, at 8:16 AM, Wietse Venema wrote:
                            >
                            > > Dennis Putnam:
                            > >> It is beginning to appear this is my only alternative. However,
                            > >> maintaining a whilelist will require some special approvals by our
                            > >> security auditors. In any case, assuming I can get approval, is the
                            > >> syntax for this the same as the other hash files (ie. IP address
                            > >> followed by REJECT, OK, etc.)? Also, how do I set the default to be
                            > >> reject? My best hope for approval is to only need to add exceptions.
                            > >
                            > > I suggest using a CIDR table. These tables are read sequentially,
                            > > and the first matching pattern wins. The following makes exceptions
                            > > for two networks and applies reject_unknown_client for everyone else.
                            > >
                            > > /etc/postfix/main.cf:
                            > > smtpd_???_restrictions =
                            > > ...
                            > > check_client_access pcre:/etc/postfix/client_access.pcre
                            > > ...
                            > >
                            > > /etc/postfix/client_access.pcre:
                            > > 1.2.3.0/24 dunno
                            > > 5.6.7.0/24 dunno
                            > > 0.0.0.0/0 reject_unknown_client
                            > >
                            > > The syntax of the left-hand side is in the cidr_table(5) manpage
                            > > (man 5 cidr_table). The syntax of the right-hand side is in the
                            > > access(5) manpage (man 5 access).
                            > >
                            > > The real problem is that the DNS gives out (some or all) bad PTR
                            > > records for this client IP address.
                            > >
                            > > Wietse
                            > >
                            >
                            >
                            >
                            > Dennis Putnam
                            > Sr. IT Systems Administrator
                            > AIM Systems, Inc.
                            > 11675 Rainwater Dr., Suite 200
                            > Alpharetta, GA 30009
                            > Phone: 678-240-4112
                            > Main Phone: 678-297-0700
                            > FAX: 678-297-2666 or 770-576-1000
                            > The information contained in this e-mail and any attachments is
                            > strictly confidential. If you are not the intended recipient, any use,
                            > dissemination, distribution, or duplication of any part of this e-mail
                            > or any attachment is prohibited. If you are not the intended
                            > recipient, please notify the sender by return e-mail and delete all
                            > copies, including the attachments.
                            >
                            >
                            >
                            >
                            >
                          • Stan Hoeppner
                            ... You do realize that 2.1.5 is dated around mid 2004, yes? Over 5 years old. Any Postfix installation older than 2.3.x is no longer supported. (Apparently
                            Message 13 of 30 , Oct 28, 2009
                              Dennis Putnam put forth on 10/28/2009 8:57 AM:
                              > Thanks for the reply. It appears this is not supported with my version
                              > of Postfix (2.1.5). When I try this syntax:

                              You do realize that 2.1.5 is dated around mid 2004, yes? Over 5 years
                              old. Any Postfix installation older than 2.3.x is no longer supported.
                              (Apparently Wietse was kind in this instance and gave you a pass) If
                              at all possible, you really should upgrade to at least the 2.3.x series.
                              I'm surprised no one else mentioned this up to this point.

                              http://postfix.energybeam.com/source/index.html

                              --
                              Stan
                            • Dennis Putnam
                              Yes. However, that is the version Apple provides with OS X 10.4. OS X 10.6, which has the latest version of Postfix, will not run on PPC servers so we are in
                              Message 14 of 30 , Oct 28, 2009
                                Yes. However, that is the version Apple provides with OS X 10.4. OS X
                                10.6, which has the latest version of Postfix, will not run on PPC
                                servers so we are in the process of acquiring Intel servers (dictated
                                by budget issues beyond my control). Unfortunately, I have to deal
                                with this immediate problem until then.

                                It has been mentioned but as I said, that is out of my hands while
                                this problem is not.

                                Thanks.

                                On Oct 28, 2009, at 11:27 AM, Stan Hoeppner wrote:

                                > Dennis Putnam put forth on 10/28/2009 8:57 AM:
                                >> Thanks for the reply. It appears this is not supported with my
                                >> version
                                >> of Postfix (2.1.5). When I try this syntax:
                                >
                                > You do realize that 2.1.5 is dated around mid 2004, yes? Over 5 years
                                > old. Any Postfix installation older than 2.3.x is no longer
                                > supported.
                                > (Apparently Wietse was kind in this instance and gave you a pass) If
                                > at all possible, you really should upgrade to at least the 2.3.x
                                > series.
                                > I'm surprised no one else mentioned this up to this point.
                                >
                                > http://postfix.energybeam.com/source/index.html
                                >
                                > --
                                > Stan
                                >
                                >
                                >



                                Dennis Putnam
                                Sr. IT Systems Administrator
                                AIM Systems, Inc.
                                11675 Rainwater Dr., Suite 200
                                Alpharetta, GA 30009
                                Phone: 678-240-4112
                                Main Phone: 678-297-0700
                                FAX: 678-297-2666 or 770-576-1000
                                The information contained in this e-mail and any attachments is
                                strictly confidential. If you are not the intended recipient, any use,
                                dissemination, distribution, or duplication of any part of this e-mail
                                or any attachment is prohibited. If you are not the intended
                                recipient, please notify the sender by return e-mail and delete all
                                copies, including the attachments.
                              • Eero Volotinen
                                ... Well, source version works on all platforms? Maybe you need to recompile one version by hand? -- Eero
                                Message 15 of 30 , Oct 28, 2009
                                  Dennis Putnam kirjoitti:
                                  > Yes. However, that is the version Apple provides with OS X 10.4. OS X
                                  > 10.6, which has the latest version of Postfix, will not run on PPC
                                  > servers so we are in the process of acquiring Intel servers (dictated by
                                  > budget issues beyond my control). Unfortunately, I have to deal with
                                  > this immediate problem until then.
                                  >
                                  > It has been mentioned but as I said, that is out of my hands while this
                                  > problem is not.

                                  Well, source version works on all platforms? Maybe you need to recompile
                                  one version by hand?

                                  --
                                  Eero
                                • Dennis Putnam
                                  Management doesn t want me to spend the time doing that since we are upgrading the servers. Welcome to my world between a rock and a hard place. :-) The really
                                  Message 16 of 30 , Oct 28, 2009
                                    Management doesn't want me to spend the time doing that since we are
                                    upgrading the servers. Welcome to my world between a rock and a hard
                                    place. :-)

                                    The really bad part is all this configuration stuff will need to be
                                    migrated to the new version of Postfix anyway.

                                    On Oct 28, 2009, at 12:00 PM, Eero Volotinen wrote:

                                    > Dennis Putnam kirjoitti:
                                    >> Yes. However, that is the version Apple provides with OS X 10.4. OS
                                    >> X 10.6, which has the latest version of Postfix, will not run on
                                    >> PPC servers so we are in the process of acquiring Intel servers
                                    >> (dictated by budget issues beyond my control). Unfortunately, I
                                    >> have to deal with this immediate problem until then.
                                    >> It has been mentioned but as I said, that is out of my hands while
                                    >> this problem is not.
                                    >
                                    > Well, source version works on all platforms? Maybe you need to
                                    > recompile one version by hand?
                                    >
                                    > --
                                    > Eero
                                    >



                                    Dennis Putnam
                                    Sr. IT Systems Administrator
                                    AIM Systems, Inc.
                                    11675 Rainwater Dr., Suite 200
                                    Alpharetta, GA 30009
                                    Phone: 678-240-4112
                                    Main Phone: 678-297-0700
                                    FAX: 678-297-2666 or 770-576-1000
                                    The information contained in this e-mail and any attachments is
                                    strictly confidential. If you are not the intended recipient, any use,
                                    dissemination, distribution, or duplication of any part of this e-mail
                                    or any attachment is prohibited. If you are not the intended
                                    recipient, please notify the sender by return e-mail and delete all
                                    copies, including the attachments.
                                  • Stan Hoeppner
                                    ... That s a tight spot to be in. I feel for ya. ... Migrating data and settings for various things may be a bit tricky, but current PowerPC Postfix is
                                    Message 17 of 30 , Oct 28, 2009
                                      Dennis Putnam put forth on 10/28/2009 10:53 AM:
                                      > Yes. However, that is the version Apple provides with OS X 10.4. OS X
                                      > 10.6, which has the latest version of Postfix, will not run on PPC
                                      > servers so we are in the process of acquiring Intel servers (dictated by
                                      > budget issues beyond my control). Unfortunately, I have to deal with
                                      > this immediate problem until then.

                                      That's a tight spot to be in. I feel for ya.

                                      > It has been mentioned but as I said, that is out of my hands while this
                                      > problem is not.

                                      Migrating data and settings for various things may be a bit tricky, but
                                      current PowerPC Postfix is available, 2.5.5-1.1, on Debian PowerPC:

                                      http://www.debian.org/distrib/netinst

                                      Debian GNU/Linux isn't OSX (it's better). Dunno if this is a
                                      possibility for you, but it is an option if you want to keep that PPC
                                      hardware humming away with fully up to date modern code.

                                      Or you could always grab the Postfix source and compile/install it
                                      yourself, assuming you have current OSX dev tools installed on the host
                                      and prerequisite libraries etc.

                                      --
                                      Stan
                                    • Paul Beard
                                      On Oct 28, 2009, at 9:13 AM, Stan Hoeppner ... If mgmt doesn t want someone compiling a native version, how does arguing for a
                                      Message 18 of 30 , Oct 28, 2009
                                        On Oct 28, 2009, at 9:13 AM, Stan Hoeppner <stan@...>
                                        wrote:

                                        > Debian GNU/Linux isn't OSX (it's better). Dunno if this is a
                                        > possibility for you, but it is an option if you want to keep that PPC
                                        > hardware humming away with fully up to date modern code.
                                        >

                                        If mgmt doesn't want someone compiling a native version, how does
                                        arguing for a different OS help? (and FreeBSD is better still. Let the
                                        flames rage. )

                                        > Or you could always grab the Postfix source and compile/install it
                                        > yourself, assuming you have current OSX dev tools installed on the
                                        > host
                                        > and prerequisite libraries etc.


                                        This is the easiest approach. There are certainly docs available for
                                        building postfix on OS X. And the MacPorts toolchain is worth
                                        installing for things like this though bootstrapping that may take
                                        more time than you have.
                                        --
                                        If this was a real .signature it would be more interesting.
                                      • Stan Hoeppner
                                        ... I think you may have misunderstood me. I was merely pointing out that there is a mature and supported Power(PC) OS available for his hardware now that
                                        Message 19 of 30 , Oct 28, 2009
                                          Paul Beard put forth on 10/28/2009 11:48 AM:
                                          > On Oct 28, 2009, at 9:13 AM, Stan Hoeppner <stan@...> wrote:
                                          >
                                          >> Debian GNU/Linux isn't OSX (it's better). Dunno if this is a
                                          >> possibility for you, but it is an option if you want to keep that PPC
                                          >> hardware humming away with fully up to date modern code.
                                          >>
                                          >
                                          > If mgmt doesn't want someone compiling a native version, how does
                                          > arguing for a different OS help? (and FreeBSD is better still. Let the
                                          > flames rage. )

                                          I think you may have misunderstood me. I was merely pointing out that
                                          there is a mature and supported Power(PC) OS available for his hardware
                                          now that Apple stopped supporting PowerPC, in the event the hardware
                                          itself will continue to be sufficient for his needs for a while longer.
                                          I say "mature" as the FreeBSD site seems to indicate the PowerPC
                                          FreeBSD port is not fully baked at the moment (otherwise I'd have
                                          mentioned that option as well). The Debian PowerPC is fully baked,
                                          along with S/390, Alpha, IA-64, SPARC, and many other architectures.
                                          Just one of the many nice things about Debian--full supported releases
                                          simultaneously across the most diverse set of architectures of any *inux
                                          distribution.

                                          >> Or you could always grab the Postfix source and compile/install it
                                          >> yourself, assuming you have current OSX dev tools installed on the host
                                          >> and prerequisite libraries etc.
                                          >
                                          > This is the easiest approach. There are certainly docs available for
                                          > building postfix on OS X. And the MacPorts toolchain is worth installing
                                          > for things like this though bootstrapping that may take more time than
                                          > you have.

                                          I agree. But like you said, it may be more worth his time to just wait
                                          until the aforementioned new x86-64 servers arrive, if indeed this new
                                          hardware is a done deal. In that case there's no good reason to
                                          duplicate effort, as the OP previously mentioned.

                                          --
                                          Stan
                                        • ram
                                          ... But the PTR needs no fix . The IP resolves to a hostname perfectly fine , only that the hostname does not resolve. Is that a valid reason to reject mails
                                          Message 20 of 30 , Oct 28, 2009
                                            On Wed, 2009-10-28 at 08:45 +1100, Phillip Smith wrote:
                                            > 2009/10/28 Dennis Putnam <dennis.putnam@...>
                                            > Thanks or the reply. That sucks. Is there a way around this,
                                            > short of turning that off or whitelisting?
                                            >
                                            > Tell the admin of the remote domain to fix their PTR records and/or MX
                                            > helo configuration because in the meantime, you're going to have to
                                            > implement a dirty hack to make their server work.

                                            But the PTR needs no "fix".

                                            The IP resolves to a hostname perfectly fine , only that the hostname
                                            does not resolve.

                                            Is that a valid reason to reject mails ?
                                            I had to remove the reject_unknown_client because of this.

                                            I hope postfix would have a *reject_no_ptr* .. that just checks for PTR
                                            record exists.








                                            Thanks
                                            Ram
                                          • Phillip Smith
                                            ... any given IP address should only have *one* corresponding PTR record, not multiple PTR s. For one, it causes problems like this.
                                            Message 21 of 30 , Oct 29, 2009
                                              > Tell the admin of the remote domain to fix their PTR records and/or MX
                                              > helo configuration because in the meantime, you're going to have to
                                              > implement a dirty hack to make their server work.

                                              But the PTR needs no "fix".

                                              The IP resolves to a hostname perfectly fine , only that the hostname
                                              does not resolve.

                                              Then a) it doesn't resolve perfectly -- it should resolve both ways. And b) any given IP address should only have *one* corresponding PTR record, not multiple PTR's. For one, it causes problems like this.
                                            • Ansgar Wiechers
                                              ... It s a perfectly valid and supported DNS feature to have multiple PTR records. If this causes problems, then the respective application is at fault, not
                                              Message 22 of 30 , Oct 29, 2009
                                                On 2009-10-29 Phillip Smith wrote:
                                                >>> Tell the admin of the remote domain to fix their PTR records and/or
                                                >>> MX helo configuration because in the meantime, you're going to have
                                                >>> to implement a dirty hack to make their server work.
                                                >>
                                                >> But the PTR needs no "fix".
                                                >>
                                                >> The IP resolves to a hostname perfectly fine , only that the hostname
                                                >> does not resolve.
                                                >
                                                > Then a) it doesn't resolve perfectly -- it should resolve both ways.
                                                > And b) any given IP address should only have *one* corresponding PTR
                                                > record, not multiple PTR's. For one, it causes problems like this.

                                                It's a perfectly valid and supported DNS feature to have multiple PTR
                                                records. If this causes problems, then the respective application is at
                                                fault, not DNS.

                                                Regards
                                                Ansgar Wiechers
                                                --
                                                "Abstractions save us time working, but they don't save us time learning."
                                                --Joel Spolsky
                                              • d.hill@yournetplus.com
                                                ... From Postfix 2.3 on you can use reject_unknown_reverse_client_hostname: http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname
                                                Message 23 of 30 , Oct 29, 2009
                                                  Quoting ram <ram@...>:

                                                  > On Wed, 2009-10-28 at 08:45 +1100, Phillip Smith wrote:
                                                  >> 2009/10/28 Dennis Putnam <dennis.putnam@...>
                                                  >> Thanks or the reply. That sucks. Is there a way around this,
                                                  >> short of turning that off or whitelisting?
                                                  >>
                                                  >> Tell the admin of the remote domain to fix their PTR records and/or MX
                                                  >> helo configuration because in the meantime, you're going to have to
                                                  >> implement a dirty hack to make their server work.
                                                  >
                                                  > But the PTR needs no "fix".
                                                  >
                                                  > The IP resolves to a hostname perfectly fine , only that the hostname
                                                  > does not resolve.
                                                  >
                                                  > Is that a valid reason to reject mails ?
                                                  > I had to remove the reject_unknown_client because of this.
                                                  >
                                                  > I hope postfix would have a *reject_no_ptr* .. that just checks for PTR
                                                  > record exists.

                                                  From Postfix 2.3 on you can use reject_unknown_reverse_client_hostname:

                                                  http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname
                                                • Dennis Putnam
                                                  That is a relief when I get to the new version. In the mean time I am still having trouble with the workaround. My config now says: smtpd_helo_restrictions =
                                                  Message 24 of 30 , Oct 29, 2009
                                                    That is a relief when I get to the new version.

                                                    In the mean time I am still having trouble with the workaround. My config now says:

                                                    smtpd_helo_restrictions =
                                                          check_client_access cidr:/etc/postfix/heloaccept.cidr

                                                    That got rid of the dictionary error however it does not work as I expected. Perhaps I am misunderstanding what this is doing. The last entry in heloaccept.cdir is:

                                                    0.0.0.0/0 REJECT

                                                    The behavior seems to be that anything not listed in the cdir file is getting rejected (actually it says 'access denied'). The behavior I am looking is the same as reject_unknown_client unless the IP or network is listed in the cdir file with OK before the above entry. What do I have wrong?

                                                    Thanks.

                                                    On Oct 29, 2009, at 7:52 AM, d.hill@... wrote:

                                                    Quoting ram <ram@...>:

                                                    On Wed, 2009-10-28 at 08:45 +1100, Phillip Smith wrote:
                                                    2009/10/28 Dennis Putnam <dennis.putnam@...>
                                                          Thanks or the reply. That sucks. Is there a way around this,
                                                          short of turning that off or whitelisting?

                                                    Tell the admin of the remote domain to fix their PTR records and/or MX
                                                    helo configuration because in the meantime, you're going to have to
                                                    implement a dirty hack to make their server work.

                                                    But the PTR needs no "fix".

                                                    The IP resolves to a hostname perfectly fine , only that the hostname
                                                    does not resolve.

                                                    Is that a valid reason to reject mails ?
                                                    I had to remove the reject_unknown_client because of this.

                                                    I hope postfix would have a *reject_no_ptr* .. that just checks for PTR
                                                    record exists.

                                                    From Postfix 2.3 on you can use reject_unknown_reverse_client_hostname:

                                                    http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname





                                                    Dennis Putnam
                                                    Sr. IT Systems Administrator
                                                    AIM Systems, Inc.
                                                    11675 Rainwater Dr., Suite 200
                                                    Alpharetta, GA  30009
                                                    Phone: 678-240-4112
                                                    Main Phone: 678-297-0700
                                                    FAX: 678-297-2666 or 770-576-1000
                                                    The information contained in this e-mail and any attachments is strictly confidential. If you are not the intended recipient, any use, dissemination, distribution, or duplication of any part of this e-mail or any attachment is prohibited. If you are not the intended recipient, please notify the sender by return e-mail and delete all copies, including the attachments.


                                                  • Victor Duchovni
                                                    ... Change that to: 0.0.0.0/0 reject_unknown_client -- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the
                                                    Message 25 of 30 , Oct 29, 2009
                                                      On Thu, Oct 29, 2009 at 02:35:56PM -0400, Dennis Putnam wrote:

                                                      > That is a relief when I get to the new version.
                                                      >
                                                      > In the mean time I am still having trouble with the workaround. My config
                                                      > now says:
                                                      >
                                                      > smtpd_helo_restrictions =
                                                      > check_client_access cidr:/etc/postfix/heloaccept.cidr
                                                      >
                                                      > That got rid of the dictionary error however it does not work as I
                                                      > expected. Perhaps I am misunderstanding what this is doing. The last entry
                                                      > in heloaccept.cdir is:
                                                      >
                                                      > 0.0.0.0/0 REJECT
                                                      >
                                                      > The behavior seems to be that anything not listed in the cdir file is
                                                      > getting rejected (actually it says 'access denied'). The behavior I am
                                                      > looking is the same as reject_unknown_client unless the IP or network is
                                                      > listed in the cdir file with OK before the above entry. What do I have
                                                      > wrong?

                                                      Change that to:

                                                      0.0.0.0/0 reject_unknown_client

                                                      --
                                                      Viktor.

                                                      Disclaimer: off-list followups get on-list replies or get ignored.
                                                      Please do not ignore the "Reply-To" header.

                                                      To unsubscribe from the postfix-users list, visit
                                                      http://www.postfix.org/lists.html or click the link below:
                                                      <mailto:majordomo@...?body=unsubscribe%20postfix-users>

                                                      If my response solves your problem, the best way to thank me is to not
                                                      send an "it worked, thanks" follow-up. If you must respond, please put
                                                      "It worked, thanks" in the "Subject" so I can delete these quickly.
                                                    • Dennis Putnam
                                                      Thanks. I owe you one. That seems to have fixed it. ... Dennis Putnam Sr. IT Systems Administrator AIM Systems, Inc. 11675 Rainwater Dr., Suite 200 Alpharetta,
                                                      Message 26 of 30 , Oct 30, 2009
                                                        Thanks. I owe you one. That seems to have fixed it.

                                                        On Oct 29, 2009, at 2:41 PM, Victor Duchovni wrote:

                                                        > On Thu, Oct 29, 2009 at 02:35:56PM -0400, Dennis Putnam wrote:
                                                        >
                                                        >> That is a relief when I get to the new version.
                                                        >>
                                                        >> In the mean time I am still having trouble with the workaround. My
                                                        >> config
                                                        >> now says:
                                                        >>
                                                        >> smtpd_helo_restrictions =
                                                        >> check_client_access cidr:/etc/postfix/heloaccept.cidr
                                                        >>
                                                        >> That got rid of the dictionary error however it does not work as I
                                                        >> expected. Perhaps I am misunderstanding what this is doing. The
                                                        >> last entry
                                                        >> in heloaccept.cdir is:
                                                        >>
                                                        >> 0.0.0.0/0 REJECT
                                                        >>
                                                        >> The behavior seems to be that anything not listed in the cdir file is
                                                        >> getting rejected (actually it says 'access denied'). The behavior I
                                                        >> am
                                                        >> looking is the same as reject_unknown_client unless the IP or
                                                        >> network is
                                                        >> listed in the cdir file with OK before the above entry. What do I
                                                        >> have
                                                        >> wrong?
                                                        >
                                                        > Change that to:
                                                        >
                                                        > 0.0.0.0/0 reject_unknown_client
                                                        >
                                                        > --
                                                        > Viktor.
                                                        >
                                                        > Disclaimer: off-list followups get on-list replies or get ignored.
                                                        > Please do not ignore the "Reply-To" header.
                                                        >
                                                        > To unsubscribe from the postfix-users list, visit
                                                        > http://www.postfix.org/lists.html or click the link below:
                                                        > <mailto:majordomo@...?body=unsubscribe%20postfix-users>
                                                        >
                                                        > If my response solves your problem, the best way to thank me is to not
                                                        > send an "it worked, thanks" follow-up. If you must respond, please put
                                                        > "It worked, thanks" in the "Subject" so I can delete these quickly.
                                                        >



                                                        Dennis Putnam
                                                        Sr. IT Systems Administrator
                                                        AIM Systems, Inc.
                                                        11675 Rainwater Dr., Suite 200
                                                        Alpharetta, GA 30009
                                                        Phone: 678-240-4112
                                                        Main Phone: 678-297-0700
                                                        FAX: 678-297-2666 or 770-576-1000
                                                        The information contained in this e-mail and any attachments is
                                                        strictly confidential. If you are not the intended recipient, any use,
                                                        dissemination, distribution, or duplication of any part of this e-mail
                                                        or any attachment is prohibited. If you are not the intended
                                                        recipient, please notify the sender by return e-mail and delete all
                                                        copies, including the attachments.
                                                      • mouss
                                                        ... Using multiple PTRs brings nothing but problems. there is nothing bad with a setup like this: 192.0.2.1 PTR uranus.example.com uranus.example.com A
                                                        Message 27 of 30 , Oct 31, 2009
                                                          Ansgar Wiechers a écrit :
                                                          > On 2009-10-29 Phillip Smith wrote:
                                                          >>>> Tell the admin of the remote domain to fix their PTR records and/or
                                                          >>>> MX helo configuration because in the meantime, you're going to have
                                                          >>>> to implement a dirty hack to make their server work.
                                                          >>> But the PTR needs no "fix".
                                                          >>>
                                                          >>> The IP resolves to a hostname perfectly fine , only that the hostname
                                                          >>> does not resolve.
                                                          >> Then a) it doesn't resolve perfectly -- it should resolve both ways.
                                                          >> And b) any given IP address should only have *one* corresponding PTR
                                                          >> record, not multiple PTR's. For one, it causes problems like this.
                                                          >
                                                          > It's a perfectly valid and supported DNS feature to have multiple PTR
                                                          > records. If this causes problems, then the respective application is at
                                                          > fault, not DNS.
                                                          >

                                                          Using multiple PTRs brings nothing but problems.

                                                          there is nothing bad with a setup like this:

                                                          192.0.2.1 PTR uranus.example.com
                                                          uranus.example.com A 192.0.2.1

                                                          www.example.com A 192.0.2.1
                                                          ftp.example.com A 192.0.2.1
                                                          blog.example.com A 192.0.2.1
                                                          wiki.example.com A 192.0.2.1

                                                          ...
                                                        • Ansgar Wiechers
                                                          ... Which part of then the respective application is at fault did you fail to understand? ... There s also nothing wrong with a setup like this: 192.0.2.1
                                                          Message 28 of 30 , Oct 31, 2009
                                                            On 2009-10-31 mouss wrote:
                                                            > Ansgar Wiechers a écrit :
                                                            >> On 2009-10-29 Phillip Smith wrote:
                                                            >>> Then a) it doesn't resolve perfectly -- it should resolve both ways.
                                                            >>> And b) any given IP address should only have *one* corresponding PTR
                                                            >>> record, not multiple PTR's. For one, it causes problems like this.
                                                            >>
                                                            >> It's a perfectly valid and supported DNS feature to have multiple PTR
                                                            >> records. If this causes problems, then the respective application is at
                                                            >> fault, not DNS.
                                                            >
                                                            > Using multiple PTRs brings nothing but problems.

                                                            Which part of "then the respective application is at fault" did you fail
                                                            to understand?

                                                            > there is nothing bad with a setup like this:
                                                            >
                                                            > 192.0.2.1 PTR uranus.example.com
                                                            > uranus.example.com A 192.0.2.1
                                                            >
                                                            > www.example.com A 192.0.2.1
                                                            > ftp.example.com A 192.0.2.1
                                                            > blog.example.com A 192.0.2.1
                                                            > wiki.example.com A 192.0.2.1
                                                            >
                                                            > ...

                                                            There's also nothing wrong with a setup like this:

                                                            192.0.2.1 PTR uranus.example.com.
                                                            192.0.2.1 PTR www.example.com.
                                                            192.0.2.1 PTR ftp.example.com.
                                                            192.0.2.1 PTR blog.example.com.
                                                            192.0.2.1 PTR wiki.example.com.

                                                            uranus.example.com. A 192.0.2.1
                                                            www.example.com. A 192.0.2.1
                                                            ftp.example.com. A 192.0.2.1
                                                            blog.example.com. A 192.0.2.1
                                                            wiki.example.com. A 192.0.2.1

                                                            Except that b0rken software may choke on it. Duh.

                                                            And if you want to avoid multiple PTR records, there's also nothing
                                                            wrong with a setup like this:

                                                            192.0.2.1 PTR uranus.example.com.
                                                            uranus.example.com. A 192.0.2.1

                                                            www.example.com. CNAME uranus.example.com.
                                                            ftp.example.com. CNAME uranus.example.com.
                                                            blog.example.com. CNAME uranus.example.com.
                                                            wiki.example.com. CNAME uranus.example.com.


                                                            However, the OP's problem was not that a PTR record existed, but that a
                                                            corresponding A record did *not* exist. Which is an entirely different
                                                            issue.

                                                            Regards
                                                            Ansgar Wiechers
                                                            --
                                                            "Abstractions save us time working, but they don't save us time learning."
                                                            --Joel Spolsky
                                                          • Noel Jones
                                                            ... ... and DNS returns a pseudo-random response, so you can t control which PTR gets returned first. ... and software that cares about the PTR and doesn t
                                                            Message 29 of 30 , Oct 31, 2009
                                                              On 10/31/2009 10:36 AM, Ansgar Wiechers wrote:
                                                              > There's also nothing wrong with a setup like this:
                                                              >
                                                              > 192.0.2.1 PTR uranus.example.com.
                                                              > 192.0.2.1 PTR www.example.com.
                                                              > 192.0.2.1 PTR ftp.example.com.
                                                              > 192.0.2.1 PTR blog.example.com.
                                                              > 192.0.2.1 PTR wiki.example.com.
                                                              >
                                                              > uranus.example.com. A 192.0.2.1
                                                              > www.example.com. A 192.0.2.1
                                                              > ftp.example.com. A 192.0.2.1
                                                              > blog.example.com. A 192.0.2.1
                                                              > wiki.example.com. A 192.0.2.1
                                                              >
                                                              > Except that b0rken software may choke on it. Duh.

                                                              ... and DNS returns a pseudo-random response, so you can't
                                                              control which PTR gets returned first.

                                                              ... and software that cares about the PTR and doesn't choke
                                                              won't ever look past the first pseudo-random response.

                                                              So you really don't gain anything other than getting to show
                                                              off how you can cram lots of unnecessary stuff into your DNS
                                                              record. Sometimes this makes the neubs feel better, but it
                                                              really doesn't bring any benefit.

                                                              -- Noel Jones
                                                            • Ansgar Wiechers
                                                              ... You have a weird way of agreeing with me. ... I didn t say that there s any actual benefit, but that having multiple PTR records is a valid configuration.
                                                              Message 30 of 30 , Oct 31, 2009
                                                                On 2009-10-31 Noel Jones wrote:
                                                                > On 10/31/2009 10:36 AM, Ansgar Wiechers wrote:
                                                                >> There's also nothing wrong with a setup like this:
                                                                >>
                                                                >> 192.0.2.1 PTR uranus.example.com.
                                                                >> 192.0.2.1 PTR www.example.com.
                                                                >> 192.0.2.1 PTR ftp.example.com.
                                                                >> 192.0.2.1 PTR blog.example.com.
                                                                >> 192.0.2.1 PTR wiki.example.com.
                                                                >>
                                                                >> uranus.example.com. A 192.0.2.1
                                                                >> www.example.com. A 192.0.2.1
                                                                >> ftp.example.com. A 192.0.2.1
                                                                >> blog.example.com. A 192.0.2.1
                                                                >> wiki.example.com. A 192.0.2.1
                                                                >>
                                                                >> Except that b0rken software may choke on it. Duh.
                                                                >
                                                                > ... and DNS returns a pseudo-random response, so you can't control
                                                                > which PTR gets returned first.
                                                                >
                                                                > ... and software that cares about the PTR and doesn't choke won't ever
                                                                > look past the first pseudo-random response.

                                                                You have a weird way of agreeing with me.

                                                                > So you really don't gain anything other than getting to show off how
                                                                > you can cram lots of unnecessary stuff into your DNS record.
                                                                > Sometimes this makes the neubs feel better, but it really doesn't
                                                                > bring any benefit.

                                                                I didn't say that there's any actual benefit, but that having multiple
                                                                PTR records is a valid configuration. Meaning that not "any given IP
                                                                address should only have *one* corresponding PTR record", but "any given
                                                                software should take into account the fact that a reverse lookup may
                                                                return more than just one record".

                                                                Besides, this still is unrelated to both Postfix and the OP's problem.

                                                                Regards
                                                                Ansgar Wiechers
                                                                --
                                                                "Abstractions save us time working, but they don't save us time learning."
                                                                --Joel Spolsky
                                                              Your message has been successfully submitted and would be delivered to recipients shortly.