Le 01/04/2011 09:47, Vincent Lefevre a écrit : > On 2011-03-31 21:16:16 +0200, Jeroen Geilman wrote: >> HELO checks are the primary defense against backscatter of this sort; I use >> a simple subset of the available options: >> >> smtpd_helo_restrictions = reject_invalid_helo_hostname, >> reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname, >> check_helo_access hash:/etc/postfix/helo_access, permit >> >> Where helo_access contains my own IPs and hostnames. >> >> This setup will reject an AMAZING amount of spam. >> Fair warning: it may also yield the occasional false positive due to a >> misconfigured client mail system! >> The usual warn_if_reject will help out with that. > > I really think it is a bad idea to use reject_unknown_helo_hostname. > Some machines sending mail are on a local network, so that resolving > their hostname doesn't make sense outside this network.
we're not asking them to resolve their hostname. we're only asking them to use a "real" name. it's as easy as myhostname = joe.example.com with a "joe.example.com" that exists in DNS. I don't use reject_unknown_helo_hostname. however, I watch my dog^W log, and I blocklist an IP that uses a "dumb" helo if it ever gets under my attention (mostly in the case of a rejection such as "user unknown", but also if spam filter says it is probably spam...). let me state this differently: - there are people who are cooperative. they do everything to look good. they work "with us". these people are welcome, and if we ever block them, we'll apologize and whitelist them on demand - there are the "uncooperative" people. most of these don't know how smtp works. we will happily accept their mail as long as it goes to valid recipients and is not caught by filters. as soon as they trigger a filter (including "user unknown"), there is no merci. > The main > goal of the EHLO hostname being for logging purpose (to identify > the machine), I don't care for the helo name. the "machine" is identified by its IP. helo only shows "some" stupid systems. I'm only using it to reject zombies. > the easiest solution may be to give the hostname (the > alternate solution of giving the local IP address isn't a good idea > if the address is dynamical). if you have a dynamic IP, it is still a good idea to use a "static" helo. even if it doesn't resolve to your IP. I know some other people may say the opposite (require helo to resolve to IP), but I won't go that far (I accept mail from dynamic IPs if the "owner" does some efforts...).
