mouss pisze:
Paweł Leśniak a écrit :
mouss pisze:
reject_unknown_helo_hostname would indeed be too aggressive. but you
could use restriction classes and only call it if the sender is null
(<>).
or you could run aggressive checks if the client has a "generic" reverse
dns. or in this particular case, simply reject *.rev.dynxnet.com with a
check_client_access:
rev.dynxnet.com REJECT blah blah
.rev.dynxnet.com REJECT blah blah
If I'll have any trouble with reject_unknown_helo_hostname sitewide I'll
change it according to information above.
using reject_unknown_helo_hostname site wide is risky. problems will
happen when you will stop watching! (at least, this was my experience
although it was a few years ago).
if you still want to use it, you can:
- use DNSWL so that whitelisted clients are never blocked/deferred
- you can also have a local whitelist
- have a log parser that looks for 4xx because of unresolved helo, do
some checks, and possibly whitelist the client so that it is accepted at
the next retry.
of course, this assumes a 4xx code (this is the default).
OK, I was happy really too fast. Unfortunately after 24h we've started
receiving backscatter from
well configured (in terms of DNS/RevDNS entries) servers.
The only fast solution right now I can see (and actually I started
pointing higher) is URIBL_*_SURBL in
spamassassin. As all backscatters (which we are getting now) have those
bad URLs, these tests
are doing their job quite well. I know this is ugly solution, but it works.
I've turned off reject_unknown_helo_hostname, as it's not doing what I
hoped it will, while keeping
two other reject_unkown_*_hostname.
During first 24h I've found 3 IPs getting blocked (which I'd like to get
mail from, even when they have configs
even worse than mine). The worst is I also have ~500 IPs which I can't
tell from logs (sender, recipient, ip, helo)
whether I want those messages or not.
yes. that said, enable the submission service and start "migrating".
This is the recommended way.
note that if users access the server from mynetworks, you can use a NAT
redirection to divert traffic to the submission port. This can help
during the "migration".
Users are not in mynetworks (they have to authenticate). But I can set
up redirection for traffic from my internal network.
Thanks again for helping
Pawel Lesniak
