On Thu, 19 Oct 2006, John D. Hardin wrote:

> On Thu, 19 Oct 2006, R Lists06 wrote:
>
> > > > RFC 1123 says you should not reject based upon HELO
> > >
> > > Bah. If some machine I don't control tries to "HELO
> > > whatever.impsec.org" I'm absolutely going to tell them to go away.
> >
> > what program is doing the rejection though?
>
> milter-regex

Doesn't even have to be that fancy, can be done with simple sendmail
rules. If any remote system HELOs to one of our MXs with one of our
domain names or IP-addr-literals, it'll tell them to go away.

I've also taken it one step further and built up a list of common
well-known sites (EG "aol.com", "hotmail.com", "yahoo.com" etc).
If a remote site uses one of those names in its HELO then their rdns
better point back to that same domain.
Slam the door at the SMTP level and don't even waste time on SA.

I also used to check for such bogus HELOs as 'localhost' and
'localhost.localdomain' but there were far too many FPs due to
semi-clueless ISP admins. ;(

Note that I do run a MSA with SMTP-AUTH for our road-warriors
and that system is configured with "AllowBogusHELO=True" ;)

-- 
Dave Funk                                  University of Iowa
<dbfunk (at) engineering.uiowa.edu>        College of Engineering
319/335-5751   FAX: 319/384-0549           1256 Seamans Center
Sys_admin/Postmaster/cell_admin            Iowa City, IA 52242-1527
#include <std_disclaimer.h>
Better is not better, 'standard' is better. B{

Reply via email to