On Thu, Sep 13, 2007 at 05:56:07AM -0400, Justin Piszcz wrote:
>
>
> On Thu, 13 Sep 2007, Francis Galiegue wrote:
>
> >Le jeudi 13 septembre 2007, Justin Piszcz a écrit :
> >>Aug 20 18:23:36 l2 postfix/smtpd[11969]: NOQUEUE: reject: RCPT from
> >>smtp2.netcabo.pt[212.113.174.29]: 550 5.7.1 <[EMAIL PROTECTED]>: Recipient
> >>address rejected: Mail appeared to be SPAM or forged. Ask your
> >>Mail/DNS-Administrator to correct HELO and DNS MX settings or to get
> >>removed from DNSBLs; MTA helo: exch01smtp09.hdi.tvcabo, MTA hostname:
> >>smtp2.netcabo.pt[212.113.174.29] (helo/hostname mismatch);
> >>from=<[EMAIL PROTECTED]> to=<[EMAIL PROTECTED]> proto=ESMTP
> >>helo=<exch01smtp09.hdi.tvcabo>
> >>
> >># VERSION: 0.1.14 beta-6
> >>
> >>We see here that the ISP is tvcabo in Portugal but that they are going
> >>through an exchange server and it passed all of my postfix checks no
> >>errors, but it died here.
> >>
> >>Can we make either an exception for exch* (exhcange hosts) or somehow be
> >>more careful with this type of mail?
> >>
> >>I am not sure of the best approach but just reporting this and asking
> >>for suggestions.
> >>
> >>Thanks!
> >>
> >
> >This should be done at the Postfix level. A good way of doing this is to add
> >in smtpd_recipient_restrictions the following:
> >
> >smtpd_recipient_restrictions = <whatever>,
> > check_client_access hash:/etc/postfix/client_exceptions,
> > <whatever>
> >
> >Be sure to add the check_client_access BEFORE policyd.
> >
> >In /etc/postfix/client_exceptions, put:
> >
> >the.ip.address OK
> ># You can put a hostname instead of an IP address if you wish
> >
> >and compile the map with:
> >
> >postmap /etc/postfix/client_exceptions
> >
> >Once it's done, reload postfix (a restart is NOT needed).
> >
>
> Yes this is what I ended up doing but I wish it had not been rejected in the
> first place, always have to lose
> that first e-mail. :(
you could set up a pcre map
smtpd_recipient_restrictions =
...
reject_unauth_destinaion
...
check_client_access pcre:/etc/postfix/exchange_exceptions.pcre
check_policy_service ...
/etc/postfix/exchange_exceptions.pcre
/[^.]*(exch|smtp).*\..*\../ OK
This won't help with postfix' "unknown" clients, though (I think).
Also, you want to make exceptions based on a _failing_ HELO, so you
would have to do a
smtpd_recipient_restrictions =
...
reject_unauth_destinaion
...
check_helo_access pcre:/etc/postfix/exchange_exceptions.pcre
check_policy_service ...
with the file like above in order to allow broken exchanges, or clients
which act like broken exchanges.
This would mean, anyone who says "HELO exchange.blah.nonresolving"
will not be handed to policyd-weight
--
Robert Felber (PGP: 896CF30B)
Munich, Germany
____________________________________________________________
Policyd-weight Mailinglist - http://www.policyd-weight.org/
