On 8/4/2013 10:13 PM, Ronald F. Guilmette wrote: > In message <[email protected]>, > Noel Jones <[email protected]> wrote: > >> On 8/4/2013 8:06 PM, Ronald F. Guilmette wrote: >>> Does reject_non_fqdn_helo_hostname, when placed in the >>> smtpd_helo_restrictions, permit clients to HELO/EHLO >>> with a square-bracket enclosed dotted quad IPv4 address? >> >> Yes. > > The documentatation should probably be adjusted to make that more clear. > Right now it reads: > > Reject the request when the HELO or EHLO hostname is not in fully- > qualified domain form, as required by the RFC. > >>> If so, is the dotted quad checked to see that it properly >>> represents the actual IP address of the actual current client? >> >> No. > > Is there any restriction verb that would cause a HELO/EHLO which specifies > a square-bracketed dotted quad IPv4 address to be rejected when & if the > dotted quad does not match the actual current client IP address?
I use a pcre table to reject any HELO that starts with a bracket or looks like an IP. Legit hosts that use this form are very rare here -- maybe one every couple years. > > Would reject_unknown_helo_hostname do it? If not maybe a new restriction > verb would be useful to perform this exact check. There is no built-in postfix restriction to compare the HELO to the client hostname, and I would question the value of such a feature. Do you see lots of spam with incorrect IP in the HELO? Do you see significant numbers of legit hosts using a bracketed IP HELO? > >>> Certainly, some spam >>> that I believe should have been rejected on the basis of one or another >>> of the above RHS filters I am instead seeing (in my maillog file) being >>> rejected instead by one or another of the subsequent reject_rbl_client >>> filters. What could I be doing wrong? >> You'll need too show evidence for further help on this. >> >> Doing RBL client checks in postscreen? > > I am not using postscreen at the present time. > > Do I need to use that if I want to perform RHSBL checks? RHSBL checks work without postscreen. If you use postscreen, it will reject clients before the smtpd_*_restrictions (and the smtpd program itself) are ever run. http://www.postfix.org/POSTSCREEN_README.html -- Noel Jones > > > Regards, > rfg >
