Hi, On Sat, 8 May 2004 17:31:26 +0200 Heinz Ulrich Stille <[EMAIL PROTECTED]> wrote:
> On Saturday 08 May 2004 16:12, Pat Masterson wrote: > > Does anybody have a rule to recognize my own IP in the HELO ? > > thanks. -pat > > It's much simpler to let the mta reject the connection outright. No chance > that there could come something good over it. > In postfix eg. append check_helo_acces to the smtpd_helo_restrictions with > a cidr table containing REJECTs for your network address, and while you're > at it, another one with your domain name(s). For the network 66.143.181.8/29 and the domains (austinimprov|cynistar).(com|net|org) I use the following PCRE map in Postfix: /66\.143\.181\.([8-9]|1[0-5])/ 550 5.7.1 Do not masquerade as local server. Begone. /^(austinimprov|cynistar)\.(com|net|org)$/ 550 5.7.1 Do not masquerade as local server. Begone. /^<?\d+\.\d+\.\d+\.\d+>?$/ 450 HELO is an IP literal; try again with an actual resolvable hostname /^localhost\.?/ 450 Please fix your HELO to be an actual resolvable hostname Caveat: my local clients and MTAs all HELO with a host name, not domain name so it's safe to drop anything HELOing as cynistar.net, etc. Actually, rules #1 and #3 are redundant if you consider IP literals as HELO strings to be illegitimate; the difference is that #1 should never FP and #3 will only FP on badly misconfigured mailers. It might catch clients but clients should be talking to your MSA, not directly to your MTA anyway. hth, -- Bob
