This is how i run it. ( postfix 2.11.x on debian Jessie )
This stops a lot of "spamming" servers, and if anyone sees improvements,... im
all ear... ;-)
This was a drop op about 90% of all spam, remaining used "good" configured
servers.. :-/ but for that spamassassin..
unknown_hostname_reject_code = 550
unknown_client_reject_code = 550
unknown_address_reject_code = 550
unverified_recipient_reject_code = 550
smtpd_client_restrictions =
permit_mynetworks,
check_client_access hash:/etc/postfix/overrule/allow_client_access.map,
check_client_access cidr:/etc/postfix/cidr/drop.spamhaus-lasso.cidr,
check_client_access cidr:/etc/postfix/cidr/drop.tor-exitnode-ips.cidr,
check_client_access cidr:/etc/postfix/cidr/drop.bad-networks.cidr,
weightcheck_policy,
spfcheck_policy,
# greycheck_policy,
reject_unauth_destination,
reject_non_fqdn_hostname,
reject_invalid_hostname,
reject_unauth_pipelining
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access pcre:/etc/postfix/pcre/helo.pcre
check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
reject_unauth_destination,
reject_unauth_pipelining
In the helo.pcre put all known hostnames and ip your server is using.
## Name based
/^localhost$/ 554 Don't use my own hostname
/^localhost\.localdomain$/ 554 Don't use my own hostname
/^localhost\.domain\.tld$/ 554 Don't use my own hostname
/^ip6-localhost$/ 554 Don't use my own hostname
/^domain\.tld$/ 554 Don't use my own domainname
/^hostname\.domain\.tld$/ 554 Don't use my own hostname
## IP Based
/^127\.0\.0\.1$/ 554 Don't use my own IP address
/^\[127\.0\.0\.1\]$/ 554 Don't use my own IP address
/^\:\:1$/ 554 Don't use my own IP address
/^\[\:\:1\]$/ 554 Don't use my own IP address
/^\1\.2\.3\.4$/ 554 Don't use my own IP address
/^\[1\.2\.3\.4]$/ 554 Don't use my own IP address
If you get in trouble with customers.. overrule/allow_helo_access.map
Put in : (IP OK )
1.2.3.4 OK
smtpd_sender_restrictions =
permit_mynetworks,
reject_non_fqdn_sender,
reject_unknown_sender_domain,
check_sender_mx_access
cidr:/etc/postfix/cidr/check_sender_mx_access.cidr,
reject_unauth_pipelining
smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unknown_recipient_domain
smtpd_relay_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unauth_destination,
reject_unknown_recipient_domain,
check_policy_service unix:private/policy-spf
### Before-220 tests (postscreen / DNSBL)
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/cidr/postscreen_whitelist_access.cidr,
cidr:/etc/postfix/cidr/postscreen_spamhaus-lasso_access.cidr
postscreen_dnsbl_reply_map =
pcre:/etc/postfix/pcre/postscreen_dnsbl_reply_map.pcre
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_threshold = 4
postscreen_dnsbl_sites =
zen.spamhaus.org*3
b.barracudacentral.org*2
bl.spameatingmonkey.net*2
dnsbl.anonmails.de
dnsbl.kempt.net
dnsbl.inps.de
bl.spamcop.net
dnsbl.sorbs.net
psbl.surriel.com
bl.mailspike.net
swl.spamhaus.org*-4
postscreen_whitelist_interfaces = $mynetworks, static:all
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: [email protected] [mailto:[email protected]] Namens
> Nicolás
> Verzonden: woensdag 23 december 2015 16:10
> Aan: [email protected]
> Onderwerp: Re: How to Block EHLO/HELO that has IP Only
>
>
> El 23/12/15 a las 08:38, L. D. James escribió:
> > I have many log entries where there are "helo=[1.2.3.4]" entries with
> > no domain name. It has an IP address only. Each of these occasions
> > are unwanted spam messages.
> >
> > Can some one specify a policy restriction that will block these
> messages.
> >
> > An example from the log is:
> >
> > Dec 22 16:00:52 hera5 policyd-spf[9883]: None; identity=mailfrom;
> > client-ip=75.211.27.210; helo=[63.205.88.41];
> > [email protected]; [email protected]
> >
> > Thanks in advance for any suggestions on this.
> >
> > -- L. James
> >
>
> You can use reject_non_fqdn_helo_hostname in the smtpd_helo_restrictions
> parameter. For example:
>
> smtpd_helo_restrictions =
> permit_mynetworks
> reject_non_fqdn_helo_hostname
> reject_unknown_helo_hostname
> permit
>
> Regards,
>
> Nicolás
