On 16 Sep 2014, at 17:59 , Bill Cole <postfixlists-070...@billmail.scconsult.com> wrote: > It is much safer to use 'reject_invalid_helo_hostname' or > 'reject_non_fqdn_helo_hostname' or for maximal safety to use a > 'check_helo_access' map to specifically reject HELO names & patterns that > fingerprint spambots (e.g. 'friend', 'ylmf-pc', '[127.0.0.1]', your own local > names/IPs, etc.) or gross incompetence (unqualified names, *.local, etc.) and > perhaps to exempt special cases where you are willing to tolerate > incompetence.
I suspect a lot of people get reject_invalid_helo_hostname and reject_unknown_helo_hostname confused. I think you can always add the following and then look at your logs: warn_if_reject reject_unknown_helo_hostname I used to have a helo check, but no longer use it: $ cat helo_checks.pcre /(unknown|localhost|localdomain|lan|home|example|local)$/ REJECT Mailserver name in private namespace /kreme\.com$/ REJECT helo Don't spoof my hostname #several more like that for various domains. /(\d{1,3}[.-]){3}[.-]\d{1,3}/ WARN Too many numbers in your HELO/EHLO (D) /([[:digit:]]{1,3}[.-]){3}[[:digit:]]{1,3}/ WARN Too many numbers in HELO/EHLO (dig) /\.(dsl|adsl|pool|dynamic|user|hsd|dyn|dial)/ REJECT helo Dynamic . servers not allowed /^(dsl|adsl|pool|dynamic|user|hsd|dyn|dial)/ REJECT helo Dynamic ^ servers not allowed /home\.com$/ REJECT home.com is poisoned -- I'll have what the gentleman on the floor is having.