Univention Bugzilla – Bug 38292
check HELO string against reverse DNS entry
Last modified: 2015-07-28 15:50:31 CEST
Postfix should check the HELO string against the reverse DNS entry.
The feature should be configurable via a UCR variable.
Created UCR variables
* mail/postfix/smtpd/restrictions/sender/require_reverse_dns and
for weaker and stricter rDNS checking respectively.
They enable the Postfix options
* reject_unknown_reverse_client_hostname (http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname) and
* reject_unknown_client_hostname (http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname).
Both UCR variables are booleans and unset by default.
We should discuss this patch:
- I do not like variable names that do not match with the postfix option name
- injecting recipient restrictions at a fixed position is IMHO a bad idea,
because the order might change and in projects the ids 60 and 61 may be already
in use or inappropriate.
- postfix delays the evaluation of sender, client, ... restrictions just before
DATA to prevent problems with broken SMTP clients. All rules in sender, client
and ... restrictions may also be used in recipient restrictions. So why not add
all rules to recipient restrictions as this would extremely simplify the
- IMO the postfix variable names are just bad (non-descriptive), but I share the thought about confusing UCRV names and will rename them; is also more consistent.
- They could also be appended at the end. It's just that the Postfix documentation  said to put the after reject_unauth_destination, which is currently at 50. I propose to rewrite the template code to make those UCRV always appear directly after reject_unauth_destination, independently of its order number (and after others, if they occupy that position already).
- Delayed evaluation is on, but the evaluation of restrictions still happens in the correct order. There can be problems  with the wrong order, although these two options can do no harm.
For 4.0-2 all changes were reverted in 60516.
Commit 62110 introduces the UCRVs
They are added to smtpd_recipient_restrictions after reject_unauth_destination (position is calculated dynamically).
YAML: 2015-07-17-univention-mail-postfix.yaml (r62372)
Commit 62377 modified the smtp_restrictions sorting code to be safer (with numbers >99).
YAML with new build number in 62379.
OK: code change
OK: functional test