Loading ...
Sorry, an error occurred while loading the content.
 

domain resolution in check_client_access tables

Expand Messages
  • E.B.
    Hello, I wanted to allow certain clients to relay by using a check_client_access lookup map. It works nice if I use IP addresses. If I use domain names, it
    Message 1 of 4 , Nov 17, 2013
      Hello,

      I
      wanted to allow certain clients to relay by using a check_client_access
      lookup map. It works nice if I use IP addresses. If I use domain names,
      it stops working for my test environment. My test client doesn't have
      rDNS set up (I think this is the cause of "connect from
      unknown[x.x.x.x]", right?).

      Do the check_client_access domain
      checks require rDNS? Is there any way to make Postfix do a normal A
      record resolve on a domain I give it in that table? For my relay
      clients, I can trust their DNS A records and I can't think of why I need
      to check their rDNS (unlike untrusted straingers).


      TIA
    • Wietse Venema
      ... Any decision based on SMTP client hostname requires either an entry entry in /etc/hosts or equivalent, or a PTR record in DNS. Of coure for access control
      Message 2 of 4 , Nov 17, 2013
        E.B.:
        > Hello,
        >
        > I
        > wanted to allow certain clients to relay by using a check_client_access
        > lookup map. It works nice if I use IP addresses. If I use domain names,
        > it stops working for my test environment. My test client doesn't have
        > rDNS set up (I think this is the cause of "connect from
        > unknown[x.x.x.x]", right?).
        >
        > Do the check_client_access domain
        > checks require rDNS?

        Any decision based on SMTP client hostname requires either an entry
        entry in /etc/hosts or equivalent, or a PTR record in DNS.

        Of coure for access control Postfix also requires that the name
        resolves to the client IP address, otherwise cheating would be
        much too easy.

        > Is there any way to make Postfix do a normal A record resolve on
        > a domain I give it in that table? For my relay clients, I can trust
        > their DNS A records and I can't think of why I need to check their
        > rDNS (unlike untrusted straingers).

        Postfix determines the SMTP client name first, and then it looks
        up that client name in the access table.

        Postrix does not iterate over the whole access table and find out
        if any of those names resolve to the client IP address. If you want
        that, then you can write a policy service plugin, and see how well
        the idea works.

        Wietse
      • Viktor Dukhovni
        ... And with DNS lookups, there is always the possibility of temporary lookup failures leading to the client being unknown now and then. This is fine when
        Message 3 of 4 , Nov 17, 2013
          On Sun, Nov 17, 2013 at 07:34:47PM -0500, Wietse Venema wrote:

          > > I wanted to allow certain clients to relay by using a check_client_access
          > > lookup map. It works nice if I use IP addresses. If I use domain names,
          > > it stops working for my test environment. My test client doesn't have
          > > rDNS set up (I think this is the cause of "connect from
          > > unknown[x.x.x.x]", right?).
          > >
          > > Do the check_client_access domain checks require rDNS?
          >
          > Any decision based on SMTP client hostname requires either an entry
          > entry in /etc/hosts or equivalent, or a PTR record in DNS.

          And with DNS lookups, there is always the possibility of temporary
          lookup failures leading to the client being unknown now and then.

          This is fine when rejecting unknown clients because the rejection
          will be a temporary failure. It is not fine when whitelisting
          clients by their DNS name, since in that case they may be hard-rejected
          by later restrictions.

          The problem is unavoidable. Do not rely on whitelists that use
          names obtained via DNS.

          --
          Viktor.
        • E.B.
          Thank you to Wietse and Viktor for the replies. Appreciate explanations very much.
          Message 4 of 4 , Nov 18, 2013
            Thank you to Wietse and Viktor for the replies. Appreciate explanations very much.





            > On Sunday, November 17, 2013 4:42 PM, Viktor Dukhovni <postfix-users@...> wrote:
            > > On Sun, Nov 17, 2013 at 07:34:47PM -0500, Wietse Venema wrote:
            >
            >
            >> > I wanted to allow certain clients to relay by using a
            > check_client_access
            >> > lookup map. It works nice if I use IP addresses. If I use domain
            > names,
            >> > it stops working for my test environment. My test client doesn't
            > have
            >> > rDNS set up (I think this is the cause of "connect from
            >> > unknown[x.x.x.x]", right?).
            >> >
            >> > Do the check_client_access domain checks require rDNS?
            >>
            >> Any decision based on SMTP client hostname requires either an entry
            >> entry in /etc/hosts or equivalent, or a PTR record in DNS.
            >
            > And with DNS lookups, there is always the possibility of temporary
            > lookup failures leading to the client being unknown now and then.
            >
            > This is fine when rejecting unknown clients because the rejection
            > will be a temporary failure.  It is not fine when whitelisting
            > clients by their DNS name, since in that case they may be hard-rejected
            > by later restrictions.
            >
            > The problem is unavoidable.  Do not rely on whitelists that use
            > names obtained via DNS.
            >
            > --
            >     Viktor.
            >
          Your message has been successfully submitted and would be delivered to recipients shortly.