Univention Bugzilla – Bug 38292
check HELO string against reverse DNS entry
Last modified: 2015-07-28 15:50:31 CEST
Postfix should check the HELO string against the reverse DNS entry. The feature should be configurable via a UCR variable.
Created UCR variables * mail/postfix/smtpd/restrictions/sender/require_reverse_dns and * mail/postfix/smtpd/restrictions/sender/require_forward-confirmed_reverse_dns for weaker and stricter rDNS checking respectively. They enable the Postfix options * reject_unknown_reverse_client_hostname (http://www.postfix.org/postconf.5.html#reject_unknown_reverse_client_hostname) and * reject_unknown_client_hostname (http://www.postfix.org/postconf.5.html#reject_unknown_client_hostname). Both UCR variables are booleans and unset by default. Commit: r60366 Package: mail/univention-mail-postfix YAML: 2015-04-16-univention-mail-postfix.yaml
We should discuss this patch: - I do not like variable names that do not match with the postfix option name (confuses users) - injecting recipient restrictions at a fixed position is IMHO a bad idea, because the order might change and in projects the ids 60 and 61 may be already in use or inappropriate. - postfix delays the evaluation of sender, client, ... restrictions just before DATA to prevent problems with broken SMTP clients. All rules in sender, client and ... restrictions may also be used in recipient restrictions. So why not add all rules to recipient restrictions as this would extremely simplify the ruleset.
- IMO the postfix variable names are just bad (non-descriptive), but I share the thought about confusing UCRV names and will rename them; is also more consistent. - They could also be appended at the end. It's just that the Postfix documentation [1] said to put the after reject_unauth_destination, which is currently at 50. I propose to rewrite the template code to make those UCRV always appear directly after reject_unauth_destination, independently of its order number (and after others, if they occupy that position already). - Delayed evaluation is on, but the evaluation of restrictions still happens in the correct order. There can be problems [1] with the wrong order, although these two options can do no harm. [1] http://www.postfix.org/SMTPD_ACCESS_README.html#danger
For 4.0-2 all changes were reverted in 60516.
Commit 62110 introduces the UCRVs * mail/postfix/smtpd/restrictions/sender/reject_unknown_client_hostname * mail/postfix/smtpd/restrictions/sender/reject_unknown_reverse_client_hostname They are added to smtpd_recipient_restrictions after reject_unauth_destination (position is calculated dynamically).
YAML: 2015-07-17-univention-mail-postfix.yaml (r62372)
Commit 62377 modified the smtp_restrictions sorting code to be safer (with numbers >99). YAML with new build number in 62379.
OK: YAML OK: code change OK: functional test
<http://errata.univention.de/ucs/4.0/263.html>