LuKreme a écrit :
> I have the following helo restriction in a pcre file:
>
> !/[[:alpha:]]/ REJECT helo non-alpha helo not allowed
>
> I ran it with WARN for quite a while and didn't see any legitimate
> messages that hit it, so I moved it to REJECT. However, my mailserver
> is starting to see more traffic now than it used to, and more varied. I
> had to remove my CIDR blocks on china and south korea, for example.
> True, most of that mail still hits zen or fails to pass greylisting, but
> where there used to be -zero- legit mail from those countries, now
> there's a little.
>
> So I thought I'd see if anyone else thought that a helo in the form
> [12.34.56.789] SHOULD be allowed. I mean, as far as I recall, this is
> still technically allowed, right?
>
a literal IP helo is allowed by the RFC. but:
- I have never seen this in legitimate inbound mail since very long
- the argument in the rfc says that literal ip is used when the clinet
can't get its name. in the case of inbound mail, this would mean that
the client couldn't get its name yet it could lookup your MX. ahem. a
long time ago, MTAs that used different routing paths tried this, but
it's no better than defining a domain name instead.
if you go this road, then you should also use
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
then you only need a check_helo_access that does:
/^[/ REJECT literal IP helo not accepted here
if you think this is too aggressive, then
/^[/ reject_unknown_client
is more "politically correct" (nobody can use the RFCs against you).
you can play on both sides with
/^[/ reject_unknown_client, REJECT
> I've thought about simply going back to warn, but when I first
> implemented this check it hit a few dozen a day, and now it hits many
> hundreds, so searching for legitimate messages among the warnings will
> be considerably harder.
>
> My complete helo_checks.pcre looks like this:
> !/[[:alpha:]]/ REJECT helo non-alpha helo not allowed
> to talk to me
> !/\.[[:alpha:]]{2,}$/ REJECT helo no TLD, invalid hostname
>
it looks like you're reinventing checks that are already available in
postfix. see above.
> # Block localhost (unusual in HELO)
> /^localhost(\.localdomain)?$/ REJECT helo Unacceptable hostname in helo
> /^unknown$/ REJECT helo No unknown hostnames
> /^75\.148\.117\.93/ REJECT helo Don't Spoof My IP
> /^\[75\.148\.117\.93\]/ REJECT helo Don't Spoof My IP
> /^covisp\.net$/ REJECT helo Don't spoof my hostname
> /^southgaylord\.com$/ REJECT helo Don't spoof my hostname
> /^kreme\.com$/ REJECT helo Don't spoof my hostname
> /^example\.com$/ REJECT helo Don't spoof my hostname
> /^example\.net$/ REJECT helo Don't spoof my hostname
better use a hash for the above. I personally use mysql.
> /\.(dsl|adsl|pool|dynamic|user|hsd|dyn|dial)/ REJECT helo Dynamic .
> addresses not allowed
> /^(dsl|adsl|pool|dynamic|user|hsd|dyn|dial)/ REJECT helo Dynamic ^
> addresses not allowed
>
