Re: static map returns 554, causing message to be accepted

Sun, 03 Oct 2010 20:07:56 -0700 

On 10/3/2010 7:34 AM, martin f krafft wrote:

Dear list,

I found that a lot of spam can be weeded out by rejecting clients
who greet me with my own hostname. Initially, I achieved this with
the following:

   main.cf:
     smtpd_helo_restrictions =
       […]
       check_helo_access pcre:$config_directory/reject_helo_myhostname

   reject_helo_myhostname:
     /^myhostname(\.mydomain)?$/ 554 do not impersonate me

I then ran into problems when the host connected to itself through
the loopback interface. Since I did not want to add
permit_mynetworks to smtpd_helo_restrictions (I expect all machines
on my network to pass the other helo restrictions), I went on to
You're shooting yourself in the foot by not using permit_mynetworks. If they're authorized clients, you shouldn't make them jump through the hoops intended for potentially hostile outside connections. 



experiment with restriction classes. I now realise that there are
other, more direct ways to achieve what I want, but I would still
like to figure out a problem I ran into:

   main.cf:
     smtpd_helo_restrictions =
       […]
       check_helo_access pcre:$config_directory/reject_helo_myhostname

     smtpd_restriction_classes =
       […]
       target_reject_helo_myhostname

     target_reject_helo_myhostname =
       permit_mynetworks
       sleep 10
You're tying up a valuable smtpd process by using the sleep 10 before reject. This is a fine way to create your own denial of service. Get rid of unwanted connections as soon as possible. 


       reject

   reject_helo_myhostname:
     /^myhostname(\.mydomain)?$/ target_reject_helo_myhostname

This works, but I wanted to have a more verbose error message, so
I replaced the last line with


Lots easier to just use
     /^myhostname(\.mydomain)?$/  REJECT don't use my hostname



       check_helo_access static:554 do not impersonate me

Much to my surprise, this caused the message to be accepted.
The static: map type only returns the first element. This could probably be better documented, but has been discussed on this list numerous times.
As documented in access(5), an all-numeric response means "OK". Anyway, you should be using 'REJECT' rather than a code as a general rule. 


...

I now found a better solution, but I am still curious what I did
wrong in using the static map.
Static maps are inappropriate for returning a custom response. Use a regexp: or pcre: map instead. 


  -- Noel Jones

Reply via email to