On 6/9/2013 12:00 PM, Viktor Dukhovni wrote: > On Mon, Jun 10, 2013 at 01:17:19AM +1000, Nikolas Kallis wrote: > >> Is using 'reject_non_fqdn_helo_hostname' and >> 'reject_invalid_helo_hostname' even neccessary when using >> 'reject_unknown_helo_hostname'? > > You seem to have decided that the client HELO name is a silver > bullet against spam and the evils of RFC non-conformance. This is > far from true. Don't waste your time on this. The last of these > three restrictions is almost neve used, it is neither safe to use > (too much legitimate email rejected) nor very effective. > > More fine-grained table lookups (regexp, or even exact matches) on > the actual HELO name sent are far more likely to be safe and be > somewhat useful (still not worth the effort in most cases IMHO). > Perhaps we can move on to another topic.
I guess it depends on whose effort is expended. ;) Nikolas, you can stop much bot spam by querying the rDNS and HELO strings against this table of fully qualified residential/consumer looking rDNS patterns. Some spam bots do a reverse lookup and use the string in HELO, so it can be effective in HELO checks as well. There are people on this list using this table for one of both. http://www.hardwarefreak.com/fqrdns.pcre Instructions for the former are in the file. To use with HELO, simply add this directly after the rDNS restriction: check_helo_access pcre:/etc/postfix/fqrdns.pcre Give it a try. Replace REJECT with 'WARN_IF_REJECT' if you'd like to test it without actually rejecting any clients. If you like it, simply overwrite with the original file. -- Stan
