On 2011-03-31 21:16:16 +0200, Jeroen Geilman wrote: > HELO checks are the primary defense against backscatter of this sort; I use > a simple subset of the available options: > > smtpd_helo_restrictions = reject_invalid_helo_hostname, > reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname, > check_helo_access hash:/etc/postfix/helo_access, permit > > Where helo_access contains my own IPs and hostnames. > > This setup will reject an AMAZING amount of spam. > Fair warning: it may also yield the occasional false positive due to a > misconfigured client mail system! > The usual warn_if_reject will help out with that.
I really think it is a bad idea to use reject_unknown_helo_hostname. Some machines sending mail are on a local network, so that resolving their hostname doesn't make sense outside this network. The main goal of the EHLO hostname being for logging purpose (to identify the machine), the easiest solution may be to give the hostname (the alternate solution of giving the local IP address isn't a good idea if the address is dynamical). -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <http://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / Arénaire project (LIP, ENS-Lyon)
