Nikolai Lusan wrote: >I recently came across and edge case for HELO/EHLO filtering that I >would [potentially] like to whitelist. > >There is an Australian Government department that is sending one >hostname as it's HELO/EHLO string, the hostname is non-resolvable, from >a host that resolves to a different name.
That's not an edge case, that's "normal" :-/ My experience says not to do much with the EHLO except require that it actually be a FQDN and not be one of your own. That means check that it's looks like a FQDN (has more than one part, with dot(s) in between), that it doesn't equal one of your own domains, but other than that ignore what it is. The alternative is to spend a lot of time dealing with queries and whitelisting broken servers - in particularly the majority of Microsoft Exchange servers configured as <domain>.local. The same goes for doing reverse-forward lookups on the clients IP address - there are so many systems where the DNS is wrong that it's the exception to find this works out right. I have the following set on my servers : smtpd_helo_restrictions = check_client_access cidr:/etc/postfix/host_access, permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/etc/postfix/helo_access, reject_non_fqdn_hostname, reject_invalid_hostname, permit From http://www.postfix.org/postconf.5.html >reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_hostname) >Reject the request when the HELO or EHLO hostname syntax is invalid. >Note: specify "smtpd_helo_required = yes" to fully enforce this >restriction (without "smtpd_helo_required = yes", a client can >simply skip reject_invalid_helo_hostname by not sending HELO or >EHLO). >The invalid_hostname_reject_code specifies the response code for >rejected requests (default: 501). > >reject_non_fqdn_helo_hostname (with Postfix < 2.3: reject_non_fqdn_hostname) >Reject the request when the HELO or EHLO hostname is not in >fully-qualified domain form, as required by the RFC. Note: specify >"smtpd_helo_required = yes" to fully enforce this restriction >(without "smtpd_helo_required = yes", a client can simply skip >reject_non_fqdn_helo_hostname by not sending HELO or EHLO). >The non_fqdn_reject_code parameter specifies the response code for >rejected requests (default: 504). Just those weed out a lot of messages that just have some PC name as the hostname in helo/ehlo. Then in /etc/postfix/helo_access I have : <my FQDN> 500 Error validating hostname, connection rejected. <my IP address> 500 Error validating hostname, connection rejected. fill in your names and addresses to suit. Those stop a whole shedload more from spammers that just use your IP address or FQDN as their hostname. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Users mailing list [email protected] http://lists.policyd.org/mailman/listinfo/users
