[Techtalk] Postfix HELO controls
Doc Nielsen
docnielsen at gmail.com
Sat Jan 6 04:22:33 UTC 2007
On 1/6/07, Maria McKinley <maria at shadlen.org> wrote:
> Has anyone ever run into problems using postfix helo controls to reject
> spam? I'm thinking of implementing the rejection of mails that
> identifies itself as our machine or our ip. I'm a little confused as to
> how it determines what is our machine vs. what is just identifying
> itself as our machine, but it looks like this part is at least straight
> forward to implement.
>
> From what I have read, it sounds like faking to be the recipient's
> machine is a thing that is common for spammers to do, but virtually
> unheard of for legitimate mail servers. I assume this is because they
> are trying to protect their own ip/machine name from being blacklisted.
> If so, this sounds like an obvious thing to do, but wanted to check with
> you experts to see if there are some problems with this implementation I
> am overlooking.
>
> cheers,
> maria
You are correct. For my own private mailserver, i have banned other
servers using my servername as HELO.
since your own server never says HELO or EHLO to itself,
adding your own hostname to "check_helo_access
hash:/etc/postfix/helo_access" would be the thing to do.
docnielsen.dk REJECT i am docnielsen.dk ... who are you?
Also, adding things in its proper order helps a great deal
smtpd_helo_restrictions = permit_sasl_authenticated,
check_helo_access hash:/etc/postfix/helo_access
smtpd_recipient_restrictions = permit_sasl_authenticated,
check_client_access hash:/etc/postfix/client_access,
check_helo_access hash:/etc/postfix/helo_access,
check_sender_access hash:/etc/postfix/sender_access,
check_sender_access hash:/etc/postfix/freemail_access,
check_sender_access hash:/etc/postfix/verify_sender_domain,
check_sender_mx_access hash:/etc/postfix/mx_access,
check_recipient_access hash:/etc/postfix/recipient_access,
check_recipient_mx_access hash:/etc/postfix/mx_access,
reject_unauth_destination,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_recipient_domain,
reject_unknown_sender_domain,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_rbl_client sbl-xbl.spamhaus.org,
and so on...
-Doc
--
Evry little box should have a pat on the back by uid 0 at least once a day
Even a tux or a beastie needs love, just like I do :o)
More information about the Techtalk
mailing list