Re: OT? DNS checks in postfix - best practice, experience
Hello,
Jogi Hofmüller schrieb am 06.3.2014:
[...]
> Personally I still think that having a matching IN A and IN PTR record
> for a mail server *and* use the same name in an EHLO/HELO message is a
> minimum requirement for a decently configured service. Still, some
> admins disagree ...
>
> Now I was wondering how other people deal with this issue. Curious what
> you people think/say.
for our really small (non ISP) mailserver setups we ended with two
levels of compromise:
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_unknown_sender_domain
These are always enabled.
reject_unknown_client_hostname
This is enabled on some servers -- on others it does reject legitimate
mails. It is usually safer to assign a higher score in spamsassassin
than to reject.
> reject_unknown_reverse_client_hostname
> reject_non_fqdn_helo_hostname
reject_unknown_helo_hostname
These are never enabled as they sadly block way to much legitimate
mails.
We still use reject_invalid_helo_hostname to block nonsense HELOs.
Best regards,
Henrik
Reply to: