Dear list, I found that a lot of spam can be weeded out by rejecting clients who greet me with my own hostname. Initially, I achieved this with the following:
main.cf:
smtpd_helo_restrictions =
[…]
check_helo_access pcre:$config_directory/reject_helo_myhostname
reject_helo_myhostname:
/^myhostname(\.mydomain)?$/ 554 do not impersonate me
I then ran into problems when the host connected to itself through
the loopback interface. Since I did not want to add
permit_mynetworks to smtpd_helo_restrictions (I expect all machines
on my network to pass the other helo restrictions), I went on to
experiment with restriction classes. I now realise that there are
other, more direct ways to achieve what I want, but I would still
like to figure out a problem I ran into:
main.cf:
smtpd_helo_restrictions =
[…]
check_helo_access pcre:$config_directory/reject_helo_myhostname
smtpd_restriction_classes =
[…]
target_reject_helo_myhostname
target_reject_helo_myhostname =
permit_mynetworks
sleep 10
reject
reject_helo_myhostname:
/^myhostname(\.mydomain)?$/ target_reject_helo_myhostname
This works, but I wanted to have a more verbose error message, so
I replaced the last line with
check_helo_access static:554 do not impersonate me
Much to my surprise, this caused the message to be accepted.
I speculated this might have to do with the spaces and tried to
quote the text, which did not work.
After discovering that
check_helo_access static:REJECT
worked fine, I tried
check_helo_access static:554
but that got the message accepted too.
I now found a better solution, but I am still curious what I did
wrong in using the static map.
Thanks for your time!
--
martin | http://madduck.net/ | http://two.sentenc.es/
the security, stability and reliability of a computer system
is reciprocally proportional to
the amount of vacuity between the ears of the admin.
spamtraps: madduck.bo...@madduck.net
digital_signature_gpg.asc
Description: Digital signature (see http://martin-krafft.net/gpg/)
