Craig McLean wrote:
> You might well be right. On high-load systems a caveat, however, is that
> if you do this with RDNS queries and it'll lead to a potential DoS.
I guess that's true if they are sending random hostnames all the time.
> I haven't tested whether my mailserver will allow me to HELO with the
> mailservers hostname but a phony IP. I suspect this will be covered
> (assuming sendmail) by confPRIVACY_FLAGS or local-host-names.
For the record Postfix allows you to specify a hashed text file that has
the rules for HELO. I'm not a postfix expert, but here is my config
that works very well in allowing all legitimate mail through in my
experience. In /etc/postfix/main.cf:
...
smtpd_helo_required = yes
smtp_sender_restrictions = reject_unknown_sender_domain
...
smtpd_helo_restrictions =
permit_mynetworks,
check_client_access hash:/etc/postfix/helo_access,
check_helo_access hash:/etc/postfix/helo_access,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
permit
...
and then something like this in /etc/postfix/helo_access:
warmcat.com REJECT Not who you say you are
(I believe this will reject [*.]warmcat.com too)
Once you create it, and every time you edit it, you need to run
postalias to interpret it into a database file used by postfix:
postalias /etc/postfix/helo_access
On changes to it:
service postfix reload
If you sit looking with
tail -f /var/log/maillog
as the mail comes it, you'll start seeing the lying sender MTA getting
thrown out before it even has a chance to give you the mail body:
... postfix/smtpd[15236]: NOQUEUE: reject: HELO from
cable-62-117-28-127.cust.blue-cable.de[62.117.28.127]: 554
<warmcat.com>: Helo command rejected: Not who you say you are;
proto=SMTP helo=<warmcat.com>
I also found that postgrey and rejecting mail that is not addressed to a
user on the system or in the alias table reduced spam and virus mails to
almost zero without needing probability-based tests.
-Andy
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
