On Thu, 19 Oct 2006, John D. Hardin wrote: > On Thu, 19 Oct 2006, R Lists06 wrote: > > > > > RFC 1123 says you should not reject based upon HELO > > > > > > Bah. If some machine I don't control tries to "HELO > > > whatever.impsec.org" I'm absolutely going to tell them to go away. > > > > what program is doing the rejection though? > > milter-regex
Doesn't even have to be that fancy, can be done with simple sendmail rules. If any remote system HELOs to one of our MXs with one of our domain names or IP-addr-literals, it'll tell them to go away. I've also taken it one step further and built up a list of common well-known sites (EG "aol.com", "hotmail.com", "yahoo.com" etc). If a remote site uses one of those names in its HELO then their rdns better point back to that same domain. Slam the door at the SMTP level and don't even waste time on SA. I also used to check for such bogus HELOs as 'localhost' and 'localhost.localdomain' but there were far too many FPs due to semi-clueless ISP admins. ;( Note that I do run a MSA with SMTP-AUTH for our road-warriors and that system is configured with "AllowBogusHELO=True" ;) -- Dave Funk University of Iowa <dbfunk (at) engineering.uiowa.edu> College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_admin Iowa City, IA 52242-1527 #include <std_disclaimer.h> Better is not better, 'standard' is better. B{