Re: OT? DNS checks in postfix - best practice, experience

To: debian-isp@lists.debian.org
Subject: Re: OT? DNS checks in postfix - best practice, experience
From: Henrik Heil <h.heil@zweipol.net>
Date: Thu, 06 Mar 2014 11:54:36 +0100 (CET)
Message-id: <[🔎] 20140306.115436.343931831843887208.h.heil@zweipol.net>
In-reply-to: <[🔎] 5318430E.6020001@mur.at>
References: <[🔎] 5318430E.6020001@mur.at>

Hello,

Jogi Hofmüller schrieb am 06.3.2014:
[...]
> Personally I still think that having a matching IN A and IN PTR record
> for a mail server *and* use the same name in an EHLO/HELO message is a
> minimum requirement for a decently configured service.  Still, some
> admins disagree ...
> 
> Now I was wondering how other people deal with this issue.  Curious what
> you people think/say.

for our really small (non ISP) mailserver setups we ended with two
levels of compromise:

>   reject_non_fqdn_sender
>   reject_non_fqdn_recipient
>   reject_unknown_sender_domain

These are always enabled.

    reject_unknown_client_hostname

This is enabled on some servers -- on others it does reject legitimate
mails. It is usually safer to assign a higher score in spamsassassin
than to reject.

>   reject_unknown_reverse_client_hostname
>   reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname

These are never enabled as they sadly block way to much legitimate
mails.

We still use reject_invalid_helo_hostname to block nonsense HELOs.

Best regards,
Henrik

Reply to:

Follow-Ups:
- Re: OT? DNS checks in postfix - best practice, experience
  - From: Jogi Hofmüller <jogi@mur.at>

References:
- OT? DNS checks in postfix - best practice, experience
  - From: Jogi Hofmüller <jogi@mur.at>

Prev by Date: Re: OT? DNS checks in postfix - best practice, experience
Next by Date: Re: OT? DNS checks in postfix - best practice, experience
Previous by thread: Re: OT? DNS checks in postfix - best practice, experience
Next by thread: Re: OT? DNS checks in postfix - best practice, experience
Index(es):
- Date
- Thread