Re: DNS Clarification

From: Len Conrad (no email)
Date: Tue Oct 01 2002 - 07:21:28 EDT

• Next message: Russell Mosemann: "Re: ldap_domain"
• Previous message: Maarten de Vries: "Blocking Bugbear"
• In reply to: Len Conrad: "Re: DNS Clarification"
• Next in thread: Tom Allison: "Re: DNS Clarification"
• Reply: Tom Allison: "Re: DNS Clarification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>Sep 30 11:16:26 penguin postfix/smtpd[29651]: connect from
>unknown[63.126.78.2]
>Sep 30 11:16:26 penguin postfix/smtpd[29651]: lost connection after EHLO
>from unknown[63.126.78.2]

hmmm

>Sep 30 11:16:26 penguin postfix/smtpd[29651]: disconnect from
>unknown[63.126.78.2]
>Sep 30 11:17:35 penguin postfix/smtpd[29651]: connect from
>unknown[63.126.78.2]
>Sep 30 11:17:35 penguin postfix/smtpd[29651]: 8080B2309E:
>client=unknown[63.126.78.2]

no PTR record was found for 2.78.126.63.in-addr.arpa

# dig -x 63.126.78.2 ns

# dig -x 63.126.78.2 ns

; <<>> DiG 8.3 <<>> -x ns
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUERY SECTION:
;; 2.78.126.63.in-addr.arpa, type = NS, class = IN

;; ANSWER SECTION:
2.78.126.63.in-addr.arpa. 5h58m53s IN CNAME 2.0.78.126.63.in-addr.arpa.

but

# dig 2.0.78.126.63.in-addr.arpa. ptr

; <<>> DiG 8.3 <<>> 2.0.78.126.63.in-addr.arpa. ptr
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

>Sep 30 11:17:35 penguin postfix/smtpd[29651]: reject: RCPT from
>unknown[63.126.78.2]: 450 Client host rejected: cannot find your hostname,

"client" = "MTA client" to postfix's SMTPD server = 63.126.78.2

Rejecting unknown clients will cause a lot of false positives. not
recommended.

> [63.126.78.2]; from=<> to=<>
>Sep 30 11:17:40 penguin postfix/smtpd[29651]: disconnect from
>unknown[63.126.78.2]

what you can do is reduce forgeries with

bogus_from_senders.map

containing:

oscillon.com reject_unknown_client

... which requires that any ip with a sender.domain of @oscillon.com will
need to have matching PTR and A records to be accepted by postfix.

Since uu NS is authoritative for .2, youŽll have to get uu to match up the
A and PTR records.

Len

-
To unsubscribe, send mail to with content
(not subject): unsubscribe postfix-users

• Next message: Russell Mosemann: "Re: ldap_domain"
• Previous message: Maarten de Vries: "Blocking Bugbear"
• In reply to: Len Conrad: "Re: DNS Clarification"
• Next in thread: Tom Allison: "Re: DNS Clarification"
• Reply: Tom Allison: "Re: DNS Clarification"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]