On Tue, Sep 13, 2016 at 08:16:30PM +0300, Nikolaos Milas wrote:
> We have notified them that their helo answer is different than their
> mail server name / FQDN (so as to change it) and they say that we
> should not be restricting access due to this:
>
> "The HELO receiver MAY verify that the HELO parameter really
> corresponds to the IP address of the sender. However, the receiver
> MUST NOT refuse to accept a message, even if the sender's HELO
> command fails verification. http://www.ietf.org/rfc/rfc1123.txt
> (section 5.2.5)"
This applies to the mapping from (valid) name to IP. You must not
refuse mails because of that.
It however does not apply to the check if the name is actually valid.
> 1. How should we treat this issue?
You can get the same result easier by pulling the plug.
reject_unknown_helo_hostname is an easy way to remove yourself from the
mail universe.
> # postconf -n
> mail_name = NOA Mail Srv XAPITI XPICTOY
Not good, as the string ESMTP is expected in it.
> postscreen_dnsbl_action = enforce
> postscreen_dnsbl_sites = b.barracudacentral.org*2,
> zen.spamhaus.org*2, psbl.surriel.com*2
> postscreen_dnsbl_threshold = 2
Why do you use wheights if one RBL is again enough to reject?
> smtpd_recipient_restrictions = check_client_access
> hash:/etc/postfix/amavis_bypass check_sender_access
> hash:/etc/postfix/blacklisted_senders reject_unverified_recipient
> reject_unauth_destination check_recipient_access
> hash:/etc/postfix/protected_destinations
> check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre
> permit_mynetworks reject_invalid_hostname reject_unauth_pipelining
> reject_non_fqdn_sender reject_unknown_sender_domain
> reject_non_fqdn_recipient reject_unknown_recipient_domain
> reject_unknown_helo_hostname reject_invalid_helo_hostname
> reject_non_fqdn_helo_hostname reject_rbl_client
> b.barracudacentral.org reject_rbl_client zen.spamhaus.org
> reject_rbl_client psbl.surriel.com reject_rbl_client bl.spamcop.net
> reject_rbl_client dnsbl.sorbs.net reject_rhsbl_client
> dbl.spamhaus.org reject_rhsbl_sender dbl.spamhaus.org
> reject_rhsbl_helo dbl.spamhaus.org check_policy_service
> unix:postgrey/socket permit
I'm not gonna decode this. There is a reason why the documentation is
pretty clear on how to use postconf (aka use -nf)
Bastian#
--
Suffocating together ... would create heroic camaraderie.
-- Khan Noonian Singh, "Space Seed", stardate 3142.8
