On 2 Aug 2020, at 10:07, Rupert Gallagher wrote:
To ignore it, as you say, I would have to remove the postfix check,
write rules to implement a non-blocking check, then write rules to
implement the rejection except for whitelisted domains.
OR, in the language of Postfix configuration:
smtpd_helo_required = yes
smtpd_helo_restrictions = check_helo_access pcre:badheloallowed,
reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname
And put entries into $config_directory/badheloallowed like this:
/localhost/ PERMIT
/invalid_hostname/ PERMIT
/unresolvable.rbs.co.uk/ PERMIT
/mailhost.sc.com/ PERMIT
It is a lot of work,
I just did it for you, for free. The hardest "work" was looking up a
couple of bank domains for examples.
to allow a bank and an accounting firm to violate an industry
standard, and still have the doubt on the authenticity of their
e-mails. No thank you.
If you want to authenticate email, it needs to use some form of internal
authentication such as DKIM, S/MIME or OpenPGP. Trusting the
authenticity of email simply because it comes from a machine which uses
a resolvable HELO in a particular domain is a naive approach unless you
are *AT LEAST* using a DNS resolver that demands authenticated answers,
i.e. requires DNSSEC, treating non-DNSSEC replies as meaningless.
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not For Hire (currently)
