We have implemented HELO restrictions for our postfix configuration to
attempt to cut down on the amount of spam.
Unfortunately this has turn up a lot of legitimate servers that have been
incorrectly configured. That is to say, they do not have dns entries for
their mail servers.
Whilst we are attempting to get the sysadmin's to resolve these issues I
need to put in a work around to allow these legitimate mail servers to send
mails to our users.
I am considering setting up a white list system using "check_helo_access"
however I am not sure about the sequencing of the commands in main.cf.
The configuration I am considering is (main.cf extract of only relevant
section):
unknown_hostname_reject_code = 550
smtpd_helo_required = yes
smtpd_helo_restrictions =
reject_invalid_hostname
reject_non_fqdn_hostname
check_helo_access hash:/etc/postfix/helo_access
reject_unknown_hostname
In /etc/postfix/helo_access I will have:
mailhost.domain1.suffix OK
mailhost.domain2.suffix OK
mailhost.domain3.suffix OK
My question is related to the sequencing. With this configuration when a
valid server in my helo_access file returns an OK will it then be processed,
or will it then move onto the "reject_unknown_hostname" and get rejected
because it does not not have a dns entry?
If this is the case is there some way around this?
Thanks,
Pat Grogan
