martin f krafft put forth on 10/3/2010 7:34 AM: > Dear list, > > I found that a lot of spam can be weeded out by rejecting clients > who greet me with my own hostname. Initially, I achieved this with > the following: > > main.cf: > smtpd_helo_restrictions = > […] > check_helo_access pcre:$config_directory/reject_helo_myhostname > > reject_helo_myhostname: > /^myhostname(\.mydomain)?$/ 554 do not impersonate me > > I then ran into problems when the host connected to itself through > the loopback interface. Since I did not want to add > permit_mynetworks to smtpd_helo_restrictions (I expect all machines > on my network to pass the other helo restrictions) <snip>
TTBOMK, the proper way to do this is the method you are avoiding, which is to implement permit_mynetworks in smtpd_helo_restrictions. Also note you can do this just as easily with a hash table as with a PCRE table. Excellent how-to: http://www.unixwiz.net/techtips/postfix-HELO.html I think you're currently making this more complicated than it needs to be. If not, if you absolutely can't do it this way, and you're having reinjection problems with content filters or policy daemons, simply add something like this to the master.cf entry for the reinjection smtpd listener: daemon inet n - - - - smtpd -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject If you don't already have a dedicated reinjection listener, that's a problem, and you should set one up. You shouldn't be dumping mail that's already been through a content filter or policy daemon back into your public facing smtpd listener on localhost:25, which has all the smtpd_foo_restrictions restrictions on it. If you aren't currently eliminating these restrictions on reinjection connections, you are doing extra unnecessary processing and throwing up unnecessary roadblocks to internal trusted communications between your Postfix processes. smtpd_foo_restrictions are designed to be used against foreign public MTAs connecting to your public facing smtpd, not against trusted internal processes. -- Stan
