On Sat, 20 Mar 2021 21:28:31 -0400
Viktor Dukhovni <postfix-us...@dukhovni.org> wrote:
> On Sat, Mar 20, 2021 at 08:23:20PM -0400, Wietse Venema wrote:
> > David Mehler:
>
> > > I don't want to blanket disable reject_unknown_helo_hostname is
> > > there a way I can set a helo exception for this one host/sender?
> >
> > Yes you can.
> >
> > smtpd_recipient_restrictions =
> > ...
> > reject_unauth_destination
> > check_client_access inline:{example.com=permit}
> > reject_unknown_helo_hostname
>
> Since the OP has the rule in smtpd_helo_restrictions and also because
> whitelisting by client hostname (dynamically derived from PTR +
> forward lookup) is fragile, the rule I'd recommend would be:
>
> smtpd_helo_restrictions =
> ...
> check_helo_access inline:{bogus.example=permit}
> reject_unknown_helo_hostname
>
> This exempts the specific name that would otherwise be rejected,
> but does so for all clients. One could instead permit any
> HELO name from a particular IP block, where the problem client
> lives:
>
> main.cf:
> cidr = cidr:${config_directory}/
> smtpd_helo_restrictions =
> ...
> check_client_access ${cidr}filter-helo.cidr
>
> filter-helo.cidr:
> 192.0.2.0/24 DUNNO
> 0.0.0.0/0 reject_unknown_helo_hostname
>
> Or, as Wietse suggested, if this becomes a game of whack-a-mole, just
> forgo the rule that requires PTR records for the HELO name.
>
This got me wondering about my own configuration. It turns out I use the
other reverse check:
smtpd_client_restrictions =
permit_sasl_authenticated,
permit_mynetworks,
reject_unauth_destination,
check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre,
reject_unknown_reverse_client_hostname,
check_client_access hash:/etc/postfix/spamsources
This stops many a spammer. I forget who posted the info on the fqrdns
but that is very effective as well.
Here is the prce as a pastebin since it is really large:
fpaste fqrdns.pcre
Uploading (239.6KiB)...
https://paste.centos.org/view/07737b27