[Techtalk] Postfix HELO controls

Maria McKinley maria at shadlen.org
Sat Jan 6 22:26:10 UTC 2007 

Doc Nielsen wrote:
> On 1/6/07, Maria McKinley <maria at shadlen.org> wrote:
>> Has anyone ever run into problems using postfix helo controls to reject
>> spam? I'm thinking of implementing the rejection of mails that
>> identifies itself as our machine or our ip. I'm a little confused as to
>> how it determines what is our machine vs. what is just identifying
>> itself as our machine, but it looks like this part is at least straight
>> forward to implement.
>>
>>  From what I have read, it sounds like faking to be the recipient's
>> machine is a thing that is common for spammers to do, but virtually
>> unheard of for legitimate mail servers. I assume this is because they
>> are trying to protect their own ip/machine name from being blacklisted.
>> If so, this sounds like an obvious thing to do, but wanted to check with
>> you experts to see if there are some problems with this implementation I
>> am overlooking.
>>
>> cheers,
>> maria
> 
> You are correct. For my own private mailserver, i have banned other
> servers using my servername as HELO.
> since your own server never says HELO or EHLO to itself,
> adding your own hostname to "check_helo_access
> hash:/etc/postfix/helo_access" would be the thing to do.
> 
> docnielsen.dk           REJECT i am docnielsen.dk ... who are you?
> 
> Also, adding things in its proper order helps a great deal
> 
> smtpd_helo_restrictions = permit_sasl_authenticated,
>    check_helo_access hash:/etc/postfix/helo_access
> 
> smtpd_recipient_restrictions = permit_sasl_authenticated,
>    check_client_access hash:/etc/postfix/client_access,
>    check_helo_access hash:/etc/postfix/helo_access,
>    check_sender_access hash:/etc/postfix/sender_access,
>    check_sender_access hash:/etc/postfix/freemail_access,
>    check_sender_access hash:/etc/postfix/verify_sender_domain,
>    check_sender_mx_access hash:/etc/postfix/mx_access,
>    check_recipient_access hash:/etc/postfix/recipient_access,
>    check_recipient_mx_access hash:/etc/postfix/mx_access,
>    reject_unauth_destination,
>    reject_non_fqdn_sender,
>    reject_non_fqdn_recipient,
>    reject_unknown_recipient_domain,
>    reject_unknown_sender_domain,
>    reject_non_fqdn_hostname,
>    reject_invalid_hostname,
>    reject_rbl_client sbl-xbl.spamhaus.org,
> 
> and so on...
> 
> -Doc

Well, it was a bit scary, but I changed the postfix config to reject 
stuff from places pretending to be us. Outright rejection of mail is a 
scary thing, but I've been looking over the log carefully for the past 
12 hours, and there have been quite a few rejections, and they all seem 
to be quite clearly from spammers. I tried sending a mail from a 
different account, but saying it was from my local account, and this 
mail came through fine, so it does seem to be something that is more 
complicated than just a user setting a different from address. Thanks 
for your help. Btw, I used ips instead of hostnames, I assume in the end 
it is all the same?

cheers,
maria

More information about the Techtalk mailing list