[Techtalk] Postfix HELO controls

Doc Nielsen docnielsen at gmail.com
Sat Jan 6 04:22:33 UTC 2007


On 1/6/07, Maria McKinley <maria at shadlen.org> wrote:
> Has anyone ever run into problems using postfix helo controls to reject
> spam? I'm thinking of implementing the rejection of mails that
> identifies itself as our machine or our ip. I'm a little confused as to
> how it determines what is our machine vs. what is just identifying
> itself as our machine, but it looks like this part is at least straight
> forward to implement.
>
>  From what I have read, it sounds like faking to be the recipient's
> machine is a thing that is common for spammers to do, but virtually
> unheard of for legitimate mail servers. I assume this is because they
> are trying to protect their own ip/machine name from being blacklisted.
> If so, this sounds like an obvious thing to do, but wanted to check with
> you experts to see if there are some problems with this implementation I
> am overlooking.
>
> cheers,
> maria

You are correct. For my own private mailserver, i have banned other
servers using my servername as HELO.
since your own server never says HELO or EHLO to itself,
adding your own hostname to "check_helo_access
hash:/etc/postfix/helo_access" would be the thing to do.

docnielsen.dk           REJECT i am docnielsen.dk ... who are you?

Also, adding things in its proper order helps a great deal

smtpd_helo_restrictions = permit_sasl_authenticated,
   check_helo_access hash:/etc/postfix/helo_access

smtpd_recipient_restrictions = permit_sasl_authenticated,
   check_client_access hash:/etc/postfix/client_access,
   check_helo_access hash:/etc/postfix/helo_access,
   check_sender_access hash:/etc/postfix/sender_access,
   check_sender_access hash:/etc/postfix/freemail_access,
   check_sender_access hash:/etc/postfix/verify_sender_domain,
   check_sender_mx_access hash:/etc/postfix/mx_access,
   check_recipient_access hash:/etc/postfix/recipient_access,
   check_recipient_mx_access hash:/etc/postfix/mx_access,
   reject_unauth_destination,
   reject_non_fqdn_sender,
   reject_non_fqdn_recipient,
   reject_unknown_recipient_domain,
   reject_unknown_sender_domain,
   reject_non_fqdn_hostname,
   reject_invalid_hostname,
   reject_rbl_client sbl-xbl.spamhaus.org,

and so on...

-Doc
--
Evry little box should have a pat on the back by uid 0 at least once a day
Even a tux or a beastie needs love, just like I do :o)


More information about the Techtalk mailing list