Loading ...
Sorry, an error occurred while loading the content.

static map returns 554, causing message to be accepted

Expand Messages
  • martin f krafft
    Dear list, I found that a lot of spam can be weeded out by rejecting clients who greet me with my own hostname. Initially, I achieved this with the following:
    Message 1 of 21 , Oct 3, 2010
    • 0 Attachment
      Dear list,

      I found that a lot of spam can be weeded out by rejecting clients
      who greet me with my own hostname. Initially, I achieved this with
      the following:

      main.cf:
      smtpd_helo_restrictions =
      […]
      check_helo_access pcre:$config_directory/reject_helo_myhostname

      reject_helo_myhostname:
      /^myhostname(\.mydomain)?$/ 554 do not impersonate me

      I then ran into problems when the host connected to itself through
      the loopback interface. Since I did not want to add
      permit_mynetworks to smtpd_helo_restrictions (I expect all machines
      on my network to pass the other helo restrictions), I went on to
      experiment with restriction classes. I now realise that there are
      other, more direct ways to achieve what I want, but I would still
      like to figure out a problem I ran into:

      main.cf:
      smtpd_helo_restrictions =
      […]
      check_helo_access pcre:$config_directory/reject_helo_myhostname

      smtpd_restriction_classes =
      […]
      target_reject_helo_myhostname

      target_reject_helo_myhostname =
      permit_mynetworks
      sleep 10
      reject

      reject_helo_myhostname:
      /^myhostname(\.mydomain)?$/ target_reject_helo_myhostname

      This works, but I wanted to have a more verbose error message, so
      I replaced the last line with

      check_helo_access static:554 do not impersonate me

      Much to my surprise, this caused the message to be accepted.

      I speculated this might have to do with the spaces and tried to
      quote the text, which did not work.

      After discovering that

      check_helo_access static:REJECT

      worked fine, I tried

      check_helo_access static:554

      but that got the message accepted too.

      I now found a better solution, but I am still curious what I did
      wrong in using the static map.

      Thanks for your time!

      --
      martin | http://madduck.net/ | http://two.sentenc.es/

      the security, stability and reliability of a computer system
      is reciprocally proportional to
      the amount of vacuity between the ears of the admin.

      spamtraps: madduck.bogus@...
    • martin f krafft
      ... I found in access(5): ACCEPT ACTIONS all-numerical An all-numerical result is treated as OK. This format is generated by address-based relay
      Message 2 of 21 , Oct 3, 2010
      • 0 Attachment
        also sprach martin f krafft <madduck@...> [2010.10.03.1434 +0200]:
        > check_helo_access static:554
        >
        > but that got the message accepted too.

        I found in access(5):

        ACCEPT ACTIONS
        all-numerical
        An all-numerical result is treated as OK. This
        format is generated by address-based relay
        authorization schemes such as pop-before-smtp.

        So indeed, this is expected behaviour and my question thus becomes
        a new one:

        How can I use a static map to return a "5xx message" result?

        I tried:

        - static:554 message [all-numerical accept]
        - static:'554 message' [invalid smtpd restriction '554]
        - static:"554 message" [invalid smtpd restriction "554]
        - "static:554 message" [unsupported dictionary type: "static:…]
        - 'static:554 message" [unsupported dictionary type: 'static:…]

        What else is there?

        --
        martin | http://madduck.net/ | http://two.sentenc.es/

        uʍop ǝpısdn sı ɹoʇıuoɯ ɹnoʎ

        spamtraps: madduck.bogus@...
      • martin f krafft
        ... According to http://www.irbs.net/internet/postfix/0208/0380.html, what I am trying to do is simply not possible. Is this still the case? -- martin |
        Message 3 of 21 , Oct 3, 2010
        • 0 Attachment
          also sprach martin f krafft <madduck@...> [2010.10.03.1456 +0200]:
          > How can I use a static map to return a "5xx message" result?

          According to http://www.irbs.net/internet/postfix/0208/0380.html,
          what I am trying to do is simply not possible. Is this still the
          case?

          --
          martin | http://madduck.net/ | http://two.sentenc.es/

          "never attribute to malice what can be
          adequately explained by incompetence."
          -- mark twain

          spamtraps: madduck.bogus@...
        • Stan Hoeppner
          ... TTBOMK, the proper way to do this is the method you are avoiding, which is to implement permit_mynetworks in smtpd_helo_restrictions. Also note you can do
          Message 4 of 21 , Oct 3, 2010
          • 0 Attachment
            martin f krafft put forth on 10/3/2010 7:34 AM:
            > Dear list,
            >
            > I found that a lot of spam can be weeded out by rejecting clients
            > who greet me with my own hostname. Initially, I achieved this with
            > the following:
            >
            > main.cf:
            > smtpd_helo_restrictions =
            > […]
            > check_helo_access pcre:$config_directory/reject_helo_myhostname
            >
            > reject_helo_myhostname:
            > /^myhostname(\.mydomain)?$/ 554 do not impersonate me
            >
            > I then ran into problems when the host connected to itself through
            > the loopback interface. Since I did not want to add
            > permit_mynetworks to smtpd_helo_restrictions (I expect all machines
            > on my network to pass the other helo restrictions) <snip>

            TTBOMK, the proper way to do this is the method you are avoiding, which
            is to implement permit_mynetworks in smtpd_helo_restrictions. Also note
            you can do this just as easily with a hash table as with a PCRE table.
            Excellent how-to:

            http://www.unixwiz.net/techtips/postfix-HELO.html

            I think you're currently making this more complicated than it needs to
            be. If not, if you absolutely can't do it this way, and you're having
            reinjection problems with content filters or policy daemons, simply add
            something like this to the master.cf entry for the reinjection smtpd
            listener:

            daemon inet n - - - - smtpd
            -o smtpd_client_restrictions=
            -o smtpd_helo_restrictions=
            -o smtpd_sender_restrictions=
            -o smtpd_recipient_restrictions=permit_mynetworks,reject

            If you don't already have a dedicated reinjection listener, that's a
            problem, and you should set one up. You shouldn't be dumping mail
            that's already been through a content filter or policy daemon back into
            your public facing smtpd listener on localhost:25, which has all the
            smtpd_foo_restrictions restrictions on it.

            If you aren't currently eliminating these restrictions on reinjection
            connections, you are doing extra unnecessary processing and throwing up
            unnecessary roadblocks to internal trusted communications between your
            Postfix processes. smtpd_foo_restrictions are designed to be used
            against foreign public MTAs connecting to your public facing smtpd, not
            against trusted internal processes.

            --
            Stan
          • Noel Jones
            ... You re shooting yourself in the foot by not using permit_mynetworks. If they re authorized clients, you shouldn t make them jump through the hoops
            Message 5 of 21 , Oct 3, 2010
            • 0 Attachment
              On 10/3/2010 7:34 AM, martin f krafft wrote:
              > Dear list,
              >
              > I found that a lot of spam can be weeded out by rejecting clients
              > who greet me with my own hostname. Initially, I achieved this with
              > the following:
              >
              > main.cf:
              > smtpd_helo_restrictions =
              > […]
              > check_helo_access pcre:$config_directory/reject_helo_myhostname
              >
              > reject_helo_myhostname:
              > /^myhostname(\.mydomain)?$/ 554 do not impersonate me
              >
              > I then ran into problems when the host connected to itself through
              > the loopback interface. Since I did not want to add
              > permit_mynetworks to smtpd_helo_restrictions (I expect all machines
              > on my network to pass the other helo restrictions), I went on to

              You're shooting yourself in the foot by not using
              permit_mynetworks. If they're authorized clients, you
              shouldn't make them jump through the hoops intended for
              potentially hostile outside connections.


              > experiment with restriction classes. I now realise that there are
              > other, more direct ways to achieve what I want, but I would still
              > like to figure out a problem I ran into:
              >
              > main.cf:
              > smtpd_helo_restrictions =
              > […]
              > check_helo_access pcre:$config_directory/reject_helo_myhostname
              >
              > smtpd_restriction_classes =
              > […]
              > target_reject_helo_myhostname
              >
              > target_reject_helo_myhostname =
              > permit_mynetworks
              > sleep 10

              You're tying up a valuable smtpd process by using the sleep 10
              before reject. This is a fine way to create your own denial
              of service. Get rid of unwanted connections as soon as possible.

              > reject
              >
              > reject_helo_myhostname:
              > /^myhostname(\.mydomain)?$/ target_reject_helo_myhostname
              >
              > This works, but I wanted to have a more verbose error message, so
              > I replaced the last line with

              Lots easier to just use
              /^myhostname(\.mydomain)?$/ REJECT don't use my hostname

              >
              > check_helo_access static:554 do not impersonate me
              >
              > Much to my surprise, this caused the message to be accepted.

              The static: map type only returns the first element. This
              could probably be better documented, but has been discussed on
              this list numerous times.

              As documented in access(5), an all-numeric response means
              "OK". Anyway, you should be using 'REJECT' rather than a code
              as a general rule.


              ...
              > I now found a better solution, but I am still curious what I did
              > wrong in using the static map.

              Static maps are inappropriate for returning a custom response.
              Use a regexp: or pcre: map instead.


              -- Noel Jones
            • martin f krafft
              ... Thanks to everyone who responded. I am now going the suggested way. However, it occurs to me that this is something postfix could be trivially doing
              Message 6 of 21 , Oct 4, 2010
              • 0 Attachment
                also sprach Noel Jones <njones@...> [2010.10.04.0507 +0200]:
                > Lots easier to just use
                > /^myhostname(\.mydomain)?$/ REJECT don't use my hostname

                Thanks to everyone who responded. I am now going the suggested way.

                However, it occurs to me that this is something postfix could be
                trivially doing itself, e.g.

                smtpd_helo_restrictions =
                […]
                reject_my_hostname
                reject_my_ipaddress

                since it has those data available. Is this something worth pursuing?

                Thanks,

                --
                martin | http://madduck.net/ | http://two.sentenc.es/

                a qui sait comprendre, peu de mots suffisent.
                -- intelligenti pauca

                spamtraps: madduck.bogus@...
              • Jerry
                On Mon, 4 Oct 2010 17:49:17 +0200 ... Interesting; however, if it were really that simple and safe, I think Wietse would have all ready implemented it. --
                Message 7 of 21 , Oct 4, 2010
                • 0 Attachment
                  On Mon, 4 Oct 2010 17:49:17 +0200
                  martin f krafft <madduck@...> articulated:

                  > also sprach Noel Jones <njones@...> [2010.10.04.0507
                  > +0200]:
                  > > Lots easier to just use
                  > > /^myhostname(\.mydomain)?$/ REJECT don't use my hostname
                  >
                  > Thanks to everyone who responded. I am now going the suggested way.
                  >
                  > However, it occurs to me that this is something postfix could be
                  > trivially doing itself, e.g.
                  >
                  > smtpd_helo_restrictions =
                  > […]
                  > reject_my_hostname
                  > reject_my_ipaddress
                  >
                  > since it has those data available. Is this something worth pursuing?

                  Interesting; however, if it were really that simple and safe, I think
                  Wietse would have all ready implemented it.

                  --
                  Jerry ✌
                  postfix-user@...
                  _____________________________________________________________________
                  TO REPORT A PROBLEM see http://www.postfix.org/DEBUG_README.html#mail
                  TO (UN)SUBSCRIBE see http://www.postfix.org/lists.html
                • Jeroen Geilman
                  ... Where, exactly ? The real client IP ? That can t be trivially spoofed, and so would actually BE your server. As for EHLO, IP literals aren t accepted as a
                  Message 8 of 21 , Oct 4, 2010
                  • 0 Attachment
                    On 10/04/2010 05:49 PM, martin f krafft wrote:
                    > also sprach Noel Jones<njones@...> [2010.10.04.0507 +0200]:
                    >
                    >> Lots easier to just use
                    >> /^myhostname(\.mydomain)?$/ REJECT don't use my hostname
                    >>
                    > Thanks to everyone who responded. I am now going the suggested way.
                    >
                    > However, it occurs to me that this is something postfix could be
                    > trivially doing itself, e.g.
                    >
                    > smtpd_helo_restrictions =
                    > […]
                    > reject_my_hostname
                    >
                    > reject_my_ipaddress
                    >

                    Where, exactly ?
                    The real client IP ? That can't be trivially spoofed, and so would
                    actually BE your server.
                    As for EHLO, IP literals aren't accepted as a matter of course - not in
                    this day and age.

                    Personally, I reject all EHLO it it's not FQDN, not a valid hostname, or
                    corresponds with my own identity.
                    That pretty much accomplishes what you're talking about, without the
                    need for additional options.


                    --
                    J.
                  • martin f krafft
                    ... The HELO greeting. ... I have seen clients who apparently connect to my MX with the IP and then send the IP after HELO. ... % swaks -h 77.109.139.84 -t
                    Message 9 of 21 , Oct 4, 2010
                    • 0 Attachment
                      also sprach Jeroen Geilman <jeroen@...> [2010.10.04.1822 +0200]:
                      > Where, exactly ?

                      The HELO greeting.

                      > The real client IP ? That can't be trivially spoofed, and so would
                      > actually BE your server.

                      I have seen clients who apparently connect to my MX with the IP and
                      then send the IP after HELO.

                      > Personally, I reject all EHLO it it's not FQDN, not a valid hostname,
                      > or corresponds with my own identity.

                      % swaks -h '77.109.139.84' -t jeroen@...
                      === Trying xs.adaptr.nl:25...
                      === Connected to xs.adaptr.nl.
                      <- 220-Are you naughty or nice ?
                      <- 220 mail.adaptr.nl ESMTP Ready.
                      -> EHLO 77.109.139.84
                      <- 250-mail.adaptr.nl
                      […]

                      (same with [77.109.139.84])

                      > That pretty much accomplishes what you're talking about, without the
                      > need for additional options.

                      So you keep a file in /etc/postfix containing your own identity?
                      That's redundant, isn't it? I can trivially do this with puppet, but
                      I figure it would be something postfix could do too.

                      --
                      martin | http://madduck.net/ | http://two.sentenc.es/

                      to err is human - to moo, bovine

                      spamtraps: madduck.bogus@...
                    • Jeroen Geilman
                      Please don t send these redundant messages. It s a good indication of your general messaging skills. ... With YOUR IP ? That s highly unlikely, to the point of
                      Message 10 of 21 , Oct 4, 2010
                      • 0 Attachment
                        Please don't send these redundant messages. It's a good indication of
                        your general messaging skills.


                        On 10/04/2010 07:56 PM, martin f krafft wrote:
                        > also sprach Jeroen Geilman<jeroen@...> [2010.10.04.1822 +0200]:
                        >
                        >> Where, exactly ?
                        >>
                        > The HELO greeting.
                        >
                        >
                        >> The real client IP ? That can't be trivially spoofed, and so would
                        >> actually BE your server.
                        >>
                        > I have seen clients who apparently connect to my MX with the IP and
                        > then send the IP after HELO.
                        >

                        With YOUR IP ? That's highly unlikely, to the point of unbelievability.

                        >> Personally, I reject all EHLO it it's not FQDN, not a valid hostname,
                        >> or corresponds with my own identity.
                        >>
                        > % swaks -h '77.109.139.84' -t jeroen@...
                        > === Trying xs.adaptr.nl:25...
                        > === Connected to xs.adaptr.nl.
                        > <- 220-Are you naughty or nice ?
                        > <- 220 mail.adaptr.nl ESMTP Ready.
                        > -> EHLO 77.109.139.84
                        > <- 250-mail.adaptr.nl
                        > […]
                        >

                        I'm quite sure I didn't ask you to post this online.

                        > (same with [77.109.139.84])
                        >
                        >

                        When I said that *I* use those rules, where did you get the notion it
                        has anything to do with any particular domain, or mail server ?


                        >> That pretty much accomplishes what you're talking about, without the
                        >> need for additional options.
                        >>
                        > So you keep a file in /etc/postfix containing your own identity?
                        > That's redundant, isn't it? I can trivially do this with puppet, but
                        > I figure it would be something postfix could do too.
                        >

                        So you're too dumb to write a simple regex map, eh ?
                        I guess "puppet" would be the solution for you then.
                      • martin f krafft
                        ... Yes, with my IP. -- martin | http://madduck.net/ | http://two.sentenc.es/ i like .net for the same reason i like gentoo. it keeps all the people with no
                        Message 11 of 21 , Oct 4, 2010
                        • 0 Attachment
                          also sprach Jeroen Geilman <jeroen@...> [2010.10.04.2004 +0200]:
                          > >I have seen clients who apparently connect to my MX with the IP and
                          > >then send the IP after HELO.
                          >
                          > With YOUR IP ? That's highly unlikely, to the point of unbelievability.

                          Yes, with my IP.

                          --
                          martin | http://madduck.net/ | http://two.sentenc.es/

                          "i like .net for the same reason i like gentoo. it keeps all the
                          people with no clue from writing c code, which is much harder for me
                          to identify and eliminate from my systems. in the same way that
                          gentoo gives those people a place to be that isn't in debian"
                          -- andrew suffield

                          spamtraps: madduck.bogus@...
                        • Charles Marcus
                          ... So your server is hacked? -- Best regards, Charles
                          Message 12 of 21 , Oct 4, 2010
                          • 0 Attachment
                            On 2010-10-04 2:15 PM, martin f krafft wrote:
                            >> With YOUR IP ? That's highly unlikely, to the point of unbelievability.

                            > Yes, with my IP.

                            So your server is hacked?

                            --

                            Best regards,

                            Charles
                          • Ralf Hildebrandt
                            ... I ve seen those as well; not from within my networks, but yes. I ve seen them! -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité -
                            Message 13 of 21 , Oct 4, 2010
                            • 0 Attachment
                              * Jeroen Geilman <jeroen@...>:
                              >
                              > Please don't send these redundant messages. It's a good indication of
                              > your general messaging skills.
                              >
                              >
                              > On 10/04/2010 07:56 PM, martin f krafft wrote:
                              > >also sprach Jeroen Geilman<jeroen@...> [2010.10.04.1822 +0200]:
                              > >>Where, exactly ?
                              > >The HELO greeting.
                              > >
                              > >>The real client IP ? That can't be trivially spoofed, and so would
                              > >>actually BE your server.
                              > >I have seen clients who apparently connect to my MX with the IP and
                              > >then send the IP after HELO.
                              >
                              > With YOUR IP ? That's highly unlikely, to the point of unbelievability.

                              I've seen those as well; not from within my networks, but yes. I've
                              seen them!

                              --
                              Ralf Hildebrandt
                              Geschäftsbereich IT | Abteilung Netzwerk
                              Charité - Universitätsmedizin Berlin
                              Campus Benjamin Franklin
                              Hindenburgdamm 30 | D-12203 Berlin
                              Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
                              ralf.hildebrandt@... | http://www.charite.de
                            • martin f krafft
                              ... I am talking about the argument to HELO/EHLO. No, my server is not hacked. -- martin | http://madduck.net/ | http://two.sentenc.es/ if english was good
                              Message 14 of 21 , Oct 4, 2010
                              • 0 Attachment
                                also sprach Charles Marcus <CMarcus@...> [2010.10.04.2029 +0200]:
                                > > Yes, with my IP.
                                >
                                > So your server is hacked?

                                I am talking about the argument to HELO/EHLO. No, my server is not
                                hacked.

                                --
                                martin | http://madduck.net/ | http://two.sentenc.es/

                                "if english was good enough for jesus christ,
                                it's good enough for us."
                                -- miriam ferguson, governor of texas

                                spamtraps: madduck.bogus@...
                              • Wietse Venema
                                ... I see that all the time. For me, blocking helo with with $inet_interfaces/$myhostname is not sufficient, since Postfix does not know everything. More
                                Message 15 of 21 , Oct 4, 2010
                                • 0 Attachment
                                  Ralf Hildebrandt:
                                  > > With YOUR IP ? That's highly unlikely, to the point of unbelievability.
                                  >
                                  > I've seen those as well; not from within my networks, but yes. I've
                                  > seen them!

                                  I see that all the time.

                                  For me, blocking helo with with $inet_interfaces/$myhostname is
                                  not sufficient, since Postfix does not know everything.

                                  More useful is to block any helo name/address that resolves to an
                                  address on the local network when the client is elsewhere, but
                                  that is not as simple as suggested in this thread.

                                  Wietse
                                • fakessh
                                  i hijacked the server with the null sender and the valid recipient the mail go home nb : hey madduck ... --
                                  Message 16 of 21 , Oct 4, 2010
                                  • 0 Attachment
                                    i hijacked the server with the null sender
                                    and the valid recipient
                                    the mail go home

                                    <anonymous>

                                    nb : hey madduck
                                    Le lundi 04 octobre 2010 à 20:44 +0200, martin f krafft a écrit :
                                    > also sprach Charles Marcus <CMarcus@...> [2010.10.04.2029 +0200]:
                                    > > > Yes, with my IP.
                                    > >
                                    > > So your server is hacked?
                                    >
                                    > I am talking about the argument to HELO/EHLO. No, my server is not
                                    > hacked.
                                    >
                                    --
                                    http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7


                                    gpg --keyserver pgp.mit.edu --recv-key 092164A7
                                  • Jeroen Geilman
                                    ... The OP says in so many words that he sees connections WITH HIS IP: who apparently connect to the MX *with the IP* This does not happen.
                                    Message 17 of 21 , Oct 4, 2010
                                    • 0 Attachment
                                      On 10/04/2010 08:31 PM, Ralf Hildebrandt wrote:
                                      > * Jeroen Geilman<jeroen@...>:
                                      >
                                      >> The real client IP ? That can't be trivially spoofed, and so would
                                      >>>> actually BE your server.
                                      >>>>
                                      >>> I have seen clients who apparently connect to my MX with the IP and
                                      >>> then send the IP after HELO.
                                      >>>
                                      >> With YOUR IP ? That's highly unlikely, to the point of unbelievability.
                                      >>
                                      > I've seen those as well; not from within my networks, but yes. I've
                                      > seen them!
                                      >
                                      >

                                      The OP says in so many words that he sees connections WITH HIS IP: "who
                                      apparently connect to the MX *with the IP*"

                                      This does not happen.
                                    • mouss
                                      ... not really, except in your apparently simple environment. I have a lot more IPs that I would include in the check, that postfix has no idea where they come
                                      Message 18 of 21 , Oct 4, 2010
                                      • 0 Attachment
                                        Le 04/10/2010 17:49, martin f krafft a écrit :
                                        > also sprach Noel Jones<njones@...> [2010.10.04.0507 +0200]:
                                        >> Lots easier to just use
                                        >> /^myhostname(\.mydomain)?$/ REJECT don't use my hostname
                                        > Thanks to everyone who responded. I am now going the suggested way.
                                        >
                                        > However, it occurs to me that this is something postfix could be
                                        > trivially doing itself, e.g.
                                        >
                                        > smtpd_helo_restrictions =
                                        > […]
                                        > reject_my_hostname
                                        > reject_my_ipaddress
                                        >
                                        > since it has those data available. Is this something worth pursuing?

                                        not really, except in your apparently simple environment. I have a lot
                                        more IPs that I would include in the check, that postfix has no idea
                                        where they come from. and besides, I didn't see that check catch
                                        anything that isn't caught by other more effective checks. so I removed
                                        the call to the map.
                                      • mouss
                                        ... OP talks about clients helo ing with his IP, not connections coming from someone who spoofed his IP.
                                        Message 19 of 21 , Oct 4, 2010
                                        • 0 Attachment
                                          Le 04/10/2010 21:10, Jeroen Geilman a écrit :
                                          > On 10/04/2010 08:31 PM, Ralf Hildebrandt wrote:
                                          >> * Jeroen Geilman<jeroen@...>:
                                          >>> The real client IP ? That can't be trivially spoofed, and so would
                                          >>>>> actually BE your server.
                                          >>>> I have seen clients who apparently connect to my MX with the IP and
                                          >>>> then send the IP after HELO.
                                          >>> With YOUR IP ? That's highly unlikely, to the point of unbelievability.
                                          >> I've seen those as well; not from within my networks, but yes. I've
                                          >> seen them!
                                          >>
                                          >
                                          > The OP says in so many words that he sees connections WITH HIS IP:
                                          > "who apparently connect to the MX *with the IP*"
                                          >
                                          > This does not happen.
                                          >
                                          >

                                          OP talks about clients helo'ing with his IP, not connections coming from
                                          someone who spoofed his IP.
                                        • Stan Hoeppner
                                          ... Is this remotely plausible if he s behind a really funky NAT/masquerade? I ve seen some junk quality NAT boxes present the inside private NAT address as
                                          Message 20 of 21 , Oct 4, 2010
                                          • 0 Attachment
                                            Jeroen Geilman put forth on 10/4/2010 2:10 PM:

                                            > The OP says in so many words that he sees connections WITH HIS IP: "who
                                            > apparently connect to the MX *with the IP*"
                                            >
                                            > This does not happen.

                                            Is this remotely plausible if he's behind a really funky NAT/masquerade?

                                            I've seen some junk quality NAT boxes present the inside private NAT
                                            address as the remote client host address after translation, but I've
                                            never seen one that presented the internal host's address to itself as
                                            the remote client address.

                                            --
                                            Stan
                                          • Jeroen Geilman
                                            ... Well excuse me, again, but he obviously did. Re-quoting: I have seen clients who apparently connect to my MX with the IP How does that translate to
                                            Message 21 of 21 , Oct 6, 2010
                                            • 0 Attachment
                                              On 10/04/2010 10:55 PM, mouss wrote:
                                              > Le 04/10/2010 21:10, Jeroen Geilman a écrit :
                                              >> On 10/04/2010 08:31 PM, Ralf Hildebrandt wrote:
                                              >>> * Jeroen Geilman<jeroen@...>:
                                              >>>> The real client IP ? That can't be trivially spoofed, and so would
                                              >>>>>> actually BE your server.
                                              >>>>> I have seen clients who apparently connect to my MX with the IP and
                                              >>>>> then send the IP after HELO.
                                              >>>> With YOUR IP ? That's highly unlikely, to the point of
                                              >>>> unbelievability.
                                              >>> I've seen those as well; not from within my networks, but yes. I've
                                              >>> seen them!
                                              >>>
                                              >>
                                              >> The OP says in so many words that he sees connections WITH HIS IP:
                                              >> "who apparently connect to the MX *with the IP*"
                                              >>
                                              >> This does not happen.
                                              >>
                                              >>
                                              >
                                              > OP talks about clients helo'ing with his IP, not connections coming
                                              > from someone who spoofed his IP.
                                              >
                                              >

                                              Well excuse me, again, but he obviously did.

                                              Re-quoting: "I have seen clients who apparently connect to my MX with
                                              the IP "

                                              How does that translate to anything else than what I said ?

                                              --
                                              J.
                                            Your message has been successfully submitted and would be delivered to recipients shortly.