RE: How to Block EHLO/HELO that has IP Only

L . P . H . van Belle Wed, 23 Dec 2015 08:00:12 -0800

This is how i run it.  ( postfix 2.11.x on debian Jessie ) 
This stops a lot of "spamming" servers, and if anyone sees improvements,... im 
all ear...  ;-) 
This was a drop op about 90% of all spam, remaining used "good" configured 
servers..  :-/  but for that spamassassin..



unknown_hostname_reject_code = 550
unknown_client_reject_code = 550
unknown_address_reject_code = 550
unverified_recipient_reject_code = 550

smtpd_client_restrictions =
    permit_mynetworks,
    check_client_access hash:/etc/postfix/overrule/allow_client_access.map,
    check_client_access cidr:/etc/postfix/cidr/drop.spamhaus-lasso.cidr,
    check_client_access cidr:/etc/postfix/cidr/drop.tor-exitnode-ips.cidr,
    check_client_access cidr:/etc/postfix/cidr/drop.bad-networks.cidr,
    weightcheck_policy,
    spfcheck_policy,
#    greycheck_policy,
    reject_unauth_destination,
    reject_non_fqdn_hostname,
    reject_invalid_hostname,
    reject_unauth_pipelining


smtpd_helo_required     = yes
smtpd_helo_restrictions =
    permit_mynetworks,
    check_helo_access pcre:/etc/postfix/pcre/helo.pcre
    check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map
    reject_invalid_helo_hostname,
    reject_non_fqdn_helo_hostname,
    reject_unknown_helo_hostname,
    reject_unauth_destination,
    reject_unauth_pipelining


In the helo.pcre put all known hostnames and ip your server is using.
## Name based
/^localhost$/                   554 Don't use my own hostname
/^localhost\.localdomain$/      554 Don't use my own hostname
/^localhost\.domain\.tld$/       554 Don't use my own hostname
/^ip6-localhost$/               554 Don't use my own hostname
/^domain\.tld$/                  554 Don't use my own domainname
/^hostname\.domain\.tld$/      554 Don't use my own hostname
## IP Based
/^127\.0\.0\.1$/                554 Don't use my own IP address
/^\[127\.0\.0\.1\]$/            554 Don't use my own IP address
/^\:\:1$/                       554 Don't use my own IP address
/^\[\:\:1\]$/                   554 Don't use my own IP address
/^\1\.2\.3\.4$/         554 Don't use my own IP address
/^\[1\.2\.3\.4]$/       554 Don't use my own IP address

If you get in trouble with customers..  overrule/allow_helo_access.map 
Put in : (IP OK ) 
1.2.3.4 OK 

smtpd_sender_restrictions = 
        permit_mynetworks, 
        reject_non_fqdn_sender,
        reject_unknown_sender_domain, 
        check_sender_mx_access 
cidr:/etc/postfix/cidr/check_sender_mx_access.cidr,
         reject_unauth_pipelining

smtpd_recipient_restrictions = 
        permit_mynetworks, 
        permit_sasl_authenticated, 
        reject_unauth_destination, 
        reject_unknown_recipient_domain

smtpd_relay_restrictions = 
        permit_mynetworks, 
        permit_sasl_authenticated, 
        reject_unauth_destination, 
        reject_unknown_recipient_domain, 
        check_policy_service unix:private/policy-spf

### Before-220 tests (postscreen / DNSBL)
postscreen_access_list          = permit_mynetworks, 
cidr:/etc/postfix/cidr/postscreen_whitelist_access.cidr, 
cidr:/etc/postfix/cidr/postscreen_spamhaus-lasso_access.cidr
postscreen_dnsbl_reply_map      = 
pcre:/etc/postfix/pcre/postscreen_dnsbl_reply_map.pcre
postscreen_blacklist_action     = drop
postscreen_dnsbl_action         = enforce
postscreen_greet_action         = enforce
postscreen_dnsbl_threshold      = 4
postscreen_dnsbl_sites =
        zen.spamhaus.org*3
        b.barracudacentral.org*2
        bl.spameatingmonkey.net*2
        dnsbl.anonmails.de
        dnsbl.kempt.net
        dnsbl.inps.de
        bl.spamcop.net
        dnsbl.sorbs.net
        psbl.surriel.com
        bl.mailspike.net
        swl.spamhaus.org*-4
postscreen_whitelist_interfaces = $mynetworks, static:all



Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: nico...@devels.es [mailto:owner-postfix-us...@postfix.org] Namens
> Nicolás
> Verzonden: woensdag 23 december 2015 16:10
> Aan: postfix-users@postfix.org
> Onderwerp: Re: How to Block EHLO/HELO that has IP Only
> 
> 
> El 23/12/15 a las 08:38, L. D. James escribió:
> > I have many log entries where there are "helo=[1.2.3.4]" entries with
> > no domain name.  It has an IP address only.  Each of these occasions
> > are unwanted spam messages.
> >
> > Can some one specify a policy restriction that will block these
> messages.
> >
> > An example from the log is:
> >
> > Dec 22 16:00:52 hera5 policyd-spf[9883]: None; identity=mailfrom;
> > client-ip=75.211.27.210; helo=[63.205.88.41];
> > envelope-from=dtrue-nore...@example.com; receiver=u...@example.com
> >
> > Thanks in advance for any suggestions on this.
> >
> > -- L. James
> >
> 
> You can use reject_non_fqdn_helo_hostname in the smtpd_helo_restrictions
> parameter. For example:
> 
> smtpd_helo_restrictions =
>      permit_mynetworks
>      reject_non_fqdn_helo_hostname
>      reject_unknown_helo_hostname
>      permit
> 
> Regards,
> 
> Nicolás

RE: How to Block EHLO/HELO that has IP Only

Reply via email to