Loading ...
Sorry, an error occurred while loading the content.

294601Re: Three trivial filtering questions

Expand Messages
  • Noel Jones
    Aug 5, 2013
    • 0 Attachment
      On 8/4/2013 10:13 PM, Ronald F. Guilmette wrote:
      > In message <51FF13EB.8090105@...>,
      > Noel Jones <njones@...> wrote:
      >
      >> On 8/4/2013 8:06 PM, Ronald F. Guilmette wrote:
      >>> Does reject_non_fqdn_helo_hostname, when placed in the
      >>> smtpd_helo_restrictions, permit clients to HELO/EHLO
      >>> with a square-bracket enclosed dotted quad IPv4 address?
      >>
      >> Yes.
      >
      > The documentatation should probably be adjusted to make that more clear.
      > Right now it reads:
      >
      > Reject the request when the HELO or EHLO hostname is not in fully-
      > qualified domain form, as required by the RFC.
      >
      >>> If so, is the dotted quad checked to see that it properly
      >>> represents the actual IP address of the actual current client?
      >>
      >> No.
      >
      > Is there any restriction verb that would cause a HELO/EHLO which specifies
      > a square-bracketed dotted quad IPv4 address to be rejected when & if the
      > dotted quad does not match the actual current client IP address?

      I use a pcre table to reject any HELO that starts with a bracket or
      looks like an IP. Legit hosts that use this form are very rare here
      -- maybe one every couple years.

      >
      > Would reject_unknown_helo_hostname do it? If not maybe a new restriction
      > verb would be useful to perform this exact check.

      There is no built-in postfix restriction to compare the HELO to the
      client hostname, and I would question the value of such a feature.

      Do you see lots of spam with incorrect IP in the HELO? Do you see
      significant numbers of legit hosts using a bracketed IP HELO?


      >
      >>> Certainly, some spam
      >>> that I believe should have been rejected on the basis of one or another
      >>> of the above RHS filters I am instead seeing (in my maillog file) being
      >>> rejected instead by one or another of the subsequent reject_rbl_client
      >>> filters. What could I be doing wrong?
      >>

      You'll need too show evidence for further help on this.


      >>
      >> Doing RBL client checks in postscreen?
      >
      > I am not using postscreen at the present time.
      >
      > Do I need to use that if I want to perform RHSBL checks?

      RHSBL checks work without postscreen. If you use postscreen, it
      will reject clients before the smtpd_*_restrictions (and the smtpd
      program itself) are ever run.

      http://www.postfix.org/POSTSCREEN_README.html


      -- Noel Jones

      >
      >
      > Regards,
      > rfg
      >
    • Show all 18 messages in this topic