Loading ...
Sorry, an error occurred while loading the content.

269580Re: static map returns 554, causing message to be accepted

Expand Messages
  • Noel Jones
    Oct 3, 2010
      On 10/3/2010 7:34 AM, martin f krafft wrote:
      > Dear list,
      > I found that a lot of spam can be weeded out by rejecting clients
      > who greet me with my own hostname. Initially, I achieved this with
      > the following:
      > main.cf:
      > smtpd_helo_restrictions =
      > […]
      > check_helo_access pcre:$config_directory/reject_helo_myhostname
      > reject_helo_myhostname:
      > /^myhostname(\.mydomain)?$/ 554 do not impersonate me
      > I then ran into problems when the host connected to itself through
      > the loopback interface. Since I did not want to add
      > permit_mynetworks to smtpd_helo_restrictions (I expect all machines
      > on my network to pass the other helo restrictions), I went on to

      You're shooting yourself in the foot by not using
      permit_mynetworks. If they're authorized clients, you
      shouldn't make them jump through the hoops intended for
      potentially hostile outside connections.

      > experiment with restriction classes. I now realise that there are
      > other, more direct ways to achieve what I want, but I would still
      > like to figure out a problem I ran into:
      > main.cf:
      > smtpd_helo_restrictions =
      > […]
      > check_helo_access pcre:$config_directory/reject_helo_myhostname
      > smtpd_restriction_classes =
      > […]
      > target_reject_helo_myhostname
      > target_reject_helo_myhostname =
      > permit_mynetworks
      > sleep 10

      You're tying up a valuable smtpd process by using the sleep 10
      before reject. This is a fine way to create your own denial
      of service. Get rid of unwanted connections as soon as possible.

      > reject
      > reject_helo_myhostname:
      > /^myhostname(\.mydomain)?$/ target_reject_helo_myhostname
      > This works, but I wanted to have a more verbose error message, so
      > I replaced the last line with

      Lots easier to just use
      /^myhostname(\.mydomain)?$/ REJECT don't use my hostname

      > check_helo_access static:554 do not impersonate me
      > Much to my surprise, this caused the message to be accepted.

      The static: map type only returns the first element. This
      could probably be better documented, but has been discussed on
      this list numerous times.

      As documented in access(5), an all-numeric response means
      "OK". Anyway, you should be using 'REJECT' rather than a code
      as a general rule.

      > I now found a better solution, but I am still curious what I did
      > wrong in using the static map.

      Static maps are inappropriate for returning a custom response.
      Use a regexp: or pcre: map instead.

      -- Noel Jones
    • Show all 21 messages in this topic