From: Sahil Tandon on
On Mon, 04 Jan 2010, Steve wrote:

> > > > I think that mostly it was HELO response verification that did it.
> > > > BTW, is there a reason not block emails with incorrect HELO response?
> > > >
> > > None really, unless you need to accept mail from misconfigured
> > > servers. (We do.)
> > >
> > Most of do (I would guess).
> >
> Stupid me. To fast typing:
> Most of us do (I would guess).

Indeed. This is why macho declarations like "we don't accept mail from
misconfigured servers" are misguided.

--
Sahil Tandon <sahil(a)tandon.net>

From: Thomas Harold on
On 1/4/2010 5:40 PM, Roman Gelfand wrote:
> Well, it looks like, perhaps, I found the missing link. After adding
> s25r rules and HELO response verification in main.cf, no spam has
> siped through.
>
> I think that mostly it was HELO response verification that did it.
> BTW, is there a reason not block emails with incorrect HELO response?
>

Maybe...

reject_invalid_helo_hostname
http://www.postfix.org/postconf.5.html#reject_invalid_helo_hostname

Is very safe, the sending system would have to really screw up their
configuration in order to fall afoul of this rule. You're going to see
a small handful every month.


reject_non_fqdn_helo_hostname
http://www.postfix.org/postconf.5.html#reject_non_fqdn_helo_hostname

Since the HELO name is supposed to be a FQDN according to the RFCs, this
one is also fairly safe. We see hundreds of thousands of hits on this
rule every month - mostly from botnets with random 8-letter HELOs or
systems that introduce themselves as "localhost".

I've never seen a false positive complaint due to this check.


reject_unknown_helo_hostname
http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname
http://tools.ietf.org/html/rfc5321#section-2.3.5

Reject the request when the HELO or EHLO hostname has no DNS A or MX
record. While the RFC does require that the HELO name resolve back to a
DNS record, it seems like the majority of Microsoft Exchange admins
don't understand that rule. See RFC5321 section 2.3.5 where the first
bullet point explains this "MUST".

By default, Postfix responds with a 450 on this one. If you decide to
change that to a 5xx (like 550) then make sure you're using Postfix 2.6
or later to avoid issues with temporary DNS errors. Postfix 2.6 added
the unknown_helo_hostname_tempfail_action variable (default is
defer_if_permit).

This rule will cause you the most headaches. You will need to be
prepared to whitelist misconfigured mail servers. The false-positive
rate in my experience is between 1:1000 and 1:5000. Just high enough to
be annoying. We had to whitelist a few dozen sites when we first
implemented the check, now it's one site about every month.

If I could change one thing in Postfix - it would be that this check
would give a more descriptive error then simply "Host not found".

First  |  Prev  | 
Pages: 1 2 3 4 5
Prev: Quotes with Dovecot+Ldap
Next: 3000 recipients