From: Amedeo Rinaldo on
(I apologize for my terrible English)

In order to minimize dnsbl queries and, globally, to decrease external
services dependency i started to test some pcre rules
(check_client_access on various stages) in which i'm trying to
'whitelist' properly configured dns hosts and to slow down/rate limit
bad ones. First i must say this is only a my lab test :-)
I'm basing my test rules on Matthew Sullivan's DRAFT "Suggested Generic
DNS Naming Schemes"
(http://tools.ietf.org/html/draft-msullivan-dnsop-generic-naming-schemes-00).
In my personal experience, i can say that lots of ISP are considering it.

(testing on debian lenny/squeeze postfix 2.5.5-1.1 / 2.7.1-1)

---

Some very simple examples (pcre are not perfect, i know):

# RFC Draft OK -> 'whitelist' (no limits, no slamming, etc..)
# samples: smtp254.example.com. mail-88.colo.example.com.
/^smtp[-.0-9a-z]*\.[-a-z0-9]+\.[a-z][a-z]+\.?$/ OK
/^mail[-.0-9a-z]*\.[-a-z0-9]+\.[a-z][a-z]+\.?$/ OK
/^mx[-.0-9a-z]*\.[-a-z0-9]+\.[a-z][a-z]+\.?$/ OK


And.. to be more aggressive.. :-) .. some samples:

# sample: reject 'unassigned.example.com.'
/.*\.unassigned\..*\.[-a-z0-9]+\.[a-z][a-z]+\.?$/ REJECT Your hostname
seems to indicates an 'unassigned' network

# sample: reject '0.0.0.10.dynamic.example.com.'
/.*\.dynamic\..*\.[-a-z0-9]+\.[a-z][a-z]+\.?$/ REJECT Your hostname
seems to indicate an end user connection - Please use your ISP's SMTP

---

I know it's very crude, but i have some time to spend now and the real
goal is to increase my postfix knowledge .. anyway .. It's already 4
week i'm testing this 'monster' on some (personal) domains to whom i'm
really not concerned about mails loss.
Results? ..awesome!

Test (little) numbers:
Total incoming connections: about 50000
Ham messages: about 5000
False positive: about 50 (based on what i can know)

Ok, about 90% of total incoming messages were spam.. but:
85% blocked by pcre rules
14% blocked by dnsbl
1% quarantined by message tests (amavis,sa)

Previously dnsbl contributed 80% of total!

---

And now.. finally.. the 'subject' issue:

when a client has a reverse hostname but the corresponding fw dns query
doesn't exists .. here a sample..

94.96.8.3 -> reverse lookup -> 94.96.8.3.dynamic.saudi.net.sa.
94.96.8.3.dynamic.saudi.net.sa. -> fw lookup -> NXDOMAIN

...postfix pass to me 'unknown[94.96.8.3]' and i cannot parse the
existent reverse hostname in the PCREs rules.

Is there a simple way to get the reverse hostname back ?

I thank you in advance for your patience and any help.

---
Amedeo Rinaldo

*La vita � un biscotto ma se piove si scioglie*

From: Sahil Tandon on
On Wed, 2010-07-14 at 04:50:11 +0200, Amedeo Rinaldo wrote:

> when a client has a reverse hostname but the corresponding fw dns
> query doesn't exists .. here a sample..
>
> 94.96.8.3 -> reverse lookup -> 94.96.8.3.dynamic.saudi.net.sa.
> 94.96.8.3.dynamic.saudi.net.sa. -> fw lookup -> NXDOMAIN
>
> ..postfix pass to me 'unknown[94.96.8.3]' and i cannot parse the
> existent reverse hostname in the PCREs rules.
>
> Is there a simple way to get the reverse hostname back ?

http://www.postfix.org/postconf.5.html#check_reverse_client_hostname_access

--
Sahil Tandon <sahil(a)FreeBSD.org>

From: Amedeo Rinaldo on
Il 14/07/2010 04:57, Sahil Tandon ha scritto:
> On Wed, 2010-07-14 at 04:50:11 +0200, Amedeo Rinaldo wrote:
>
>> ..[CUT]..
>> Is there a simple way to get the reverse hostname back ?
>
> http://www.postfix.org/postconf.5.html#check_reverse_client_hostname_access


...so simple :) Thank you Sahil ..

But.. now i remember.. the reason i 'skipped' that restriction type is
that i'm testing on debian lenny (so .. postfix 2.5.5-1.1 ) and that
feature is only available in Postfix 2.6 and later.
It's only 2-3 days i'm testing postfix 2.7.1: it works like a charm :)

Is there a way to get the rDSN also in Postfix < 2.6 ?

Have a nice day..

---
Amedeo Rinaldo

*La vita � un biscotto ma se piove si scioglie*

From: Noel Jones on
On 7/14/2010 10:21 AM, Amedeo Rinaldo wrote:
> Il 14/07/2010 04:57, Sahil Tandon ha scritto:
>> On Wed, 2010-07-14 at 04:50:11 +0200, Amedeo Rinaldo wrote:
>>
>>> ..[CUT]..
>>> Is there a simple way to get the reverse hostname back ?
>>
>> http://www.postfix.org/postconf.5.html#check_reverse_client_hostname_access
>>
>
>
> ..so simple :) Thank you Sahil ..
>
> But.. now i remember.. the reason i 'skipped' that restriction
> type is that i'm testing on debian lenny (so .. postfix
> 2.5.5-1.1 ) and that feature is only available in Postfix 2.6
> and later.
> It's only 2-3 days i'm testing postfix 2.7.1: it works like a
> charm :)
>
> Is there a way to get the rDSN also in Postfix < 2.6 ?

The other option is to use a policy service; they have access
to the unverified rDNS hostname. You can probably convince
postfwd to do this for you.
http://www.postfix.org/SMTPD_POLICY_README.html
http://postfwd.org/

Or you can patch the postfix source manually to add the
feature. The patch has been posted to this list and should
work without too much trouble on 2.5.


-- Noel Jones