Re: helo restrictions

Sun, 24 May 2009 14:06:13 -0700 

On Sun, 24 May 2009, LuKreme wrote:

> I have the following:
>
> main.cf in smtpd_recipient_restrictions:
>   check_helo_access pcre:$config_directory/helo_checks.pcre,
>
> in helo_checks.pcre:
> /(lan|home|example|local)$/                 REJECT Mailserver name in  
> private namespace
>
> but in logs:
> May 23 14:48:17 mail postfix/smtpd[30899]: NOQUEUE: warn: RCPT from  
> 201-88-100-143.gnace704.dsl.brasiltelecom.net.br[201.88.100.143]:  
> Dynamic DSL looking address; from=<subsidize...@maww.com> 
> to=<consorti...@domain3.example> proto=ESMTP helo=<speedtouch.lan>

Hm, that "warn" does not correspond to what you purportedly have in your
smtpd_recipient_restrictions; it should have been an outright rejection.

> OK? But the line with that reject notice is in check_client_fqdn.pcre,  
> which is AFTER check_helo_access
>
> /\.(dsl|\d+dsl|dsl\d+)\./                     REJECT Dynamic DSL looking 
> address
>
> from postonf -n:
> smtpd_recipient_restrictions = reject_non_fqdn_sender,  
> reject_non_fqdn_recipient, reject_unknown_sender_domain,  
> reject_invalid_hostname, permit_mynetworks, check_client_access hash: 
> $config_directory/pbs, permit_sasl_authenticated,  
> reject_unauth_destination, reject_unlisted_sender, check_client_access  
> cidr:/var/db/dnswl/postfix-dnswl-permit check_helo_access pcre: 
> $config_directory/helo_checks.pcre,  check_sender_access pcre: 
> $config_directory/sender_access.pcre, check_client_access pcre: 
> $config_directory/check_client_fqdn.pcre, check_recipient_access pcre: 
> $config_directory/recipient_checks.pcre, check_client_access hash: 
> $config_directory/access, reject_rbl_client zen.spamhaus.org, permit
>
> shouldn't that helo from .lan be hitting the helo restriction before it 
> even gets to the fqdn lookup? Or hitting the reject_non_fqdn_sender? 
> Why's it falling all the way check_client_fqdn.pcre?

Yes, it does seem odd; can you show unaltered 'postconf -n' instead of just
that snippet?  And reject_non_fqdn_sender does not hit because it has
absolutely nothing to do with the HELO; it rejects requests when the MAIL
FROM is not FQDN.

-- 
Sahil Tandon <sa...@tandon.net>

Reply via email to