Rob Kampen wrote on Fri, 03 Feb 2012 10:08:09 +1300: > My confusion is that a reverse lookup of the IP gives me the clients > domain (dropping the mail(x) subdomain) thus I assumed it was the helo > domain name - which does not have rDNS - that was causing the reject - > maybe it was just a timing error. No, it wasn't, read the explanation of this check, see below. You may want to use reject_unknown_reverse_client_hostname instead. Actually, I've not been aware until now that it does more than checking the rDNS (or I had forgotten it in the meantime and had to be reminded :-). reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client) Reject the request when 1) the client IP address->name mapping fails, 2) the name->address mapping fails, or 3) the name->address mapping does not match the client IP address. This is a stronger restriction than the reject_unknown_reverse_client_hostname feature, which triggers only under condition 1) above. http://www.postfix.org/postconf.5.html > Final question for the list - does anyone use "reject_unknown_client" - > it has given me the most grief with legitimate clients that have poorly > administered domains. I've been using the reject_unknown_client_hostname restriction on my own server(s) for years with no problems. But I'm not using it on client's servers. Looks like one day I knew what it does ;-) I think reject_unknown_client_hostname is a good restriction, but you may get too many "false" positives. There is no definitive RFC requirement that the mapping has to match. That's different for the simple rDNS lookup. I think it's defined in several RFCs (at least by loose interpretation) and also explained in every "mail server setup howto" and on Wikipedia. I usually point clients/admins to such a source and after a (not so long) while the sender mysteriously manages to have rDNS set up by his provider ... So, I would certainly recommend trying the less restrictive reject_unknown_reverse_client_hostname . As you pointed out lots of bots don't have rDNS, so they get rejected by this very effectively. And the false positive ratio is very low. Certainly lower for me than Sorbs (threw out Sorbs years ago). Kai _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos