I suggest you read :
http://faculty.cs.niu.edu/~rickert/cf/bad-ehlo.html
personaly i use the following.
smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access pcre:/etc/postfix/pcre/helo.pcre
check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
reject_unauth_destination
and in the helo.pcre
## Namebase
/^localhost$/ 554 Don't use my own hostname
/^localhost\.localdomain$/ 554 Don't use my own hostname
/^domain\.tld$/ 554 Don't use my own domainname
/^hostname\.domain\.tld$/ 554 Don't use my own hostname
## IP Based
/^127\.0\.0\.1$/ 554 Don't use my own IP address
/^\[127\.0\.0\.1\]$/ 554 Don't use my own IP address
/^\:\:1$/ 554 Don't use my own IP address
/^\[\:\:1\]$/ 554 Don't use my own IP address
/^\1\.2\.3\.4$/ 554 Don't use my own IP address
And change domain.tld to you domain.
Here you need all names know to you server ( for accepting mail )
And change ip 1.2.3.4 to you ip.
The allow_helo_access.map is use for anoying customers to allow them.
I give them 2 weeks to fix there setup.
Also due to changes in dutch law, im oblgated to check the helo for
correctness.
Normaly i just refer to these links.
rfc2821 section-3.6 en 4.1.1.1 en 10.3 en rfc5321 section 2.3.5)
https://www.ietf.org/rfc/rfc2821.txt
https://www.ietf.org/rfc/rfc5321.txt
and lots of misconfigured exchange server ( most the .local domains )
https://technet.microsoft.com/EN-US/library/jj657457(v=exchg.150).aspx
Lots of them forget to adjust the outgoing smtp connectos.
And best of all. ( to avoid spam ) the use of postscreen.
Example:
### Before-220 tests (postscreen / DNSBL)
postscreen_greet_banner = $myhostname, checking blacklists, please wait.
postscreen_greet_wait = 3s
postscreen_greet_ttl = 2d
postscreen_access_list =
permit_mynetworks,
cidr:/etc/postfix/cidr/postscreen_whitelist_access.cidr,
cidr:/etc/postfix/cidr/drop.spamhaus-lasso.cidr
postscreen_dnsbl_reply_map =
pcre:/etc/postfix/pcre/postscreen_dnsbl_reply_map.pcre
postscreen_blacklist_action = drop
postscreen_dnsbl_action = enforce
postscreen_greet_action = enforce
postscreen_dnsbl_ttl = 2h
postscreen_dnsbl_threshold = 4
postscreen_dnsbl_sites =
b.barracudacentral.org*4
bad.psky.me*4
zen.spamhaus.org*4
dnsbl.cobion.com*2
bl.spameatingmonkey.net*2
fresh.spameatingmonkey.net*2
dnsbl.anonmails.de*2
dnsbl.kempt.net*1
dnsbl.inps.de*2
bl.spamcop.net*2
dnsbl.sorbs.net*1
spam.dnsbl.sorbs.net*2
psbl.surriel.com*2
bl.mailspike.net*2
rep.mailspike.net=127.0.0.[13;14]*1
bl.suomispam.net*2
bl.blocklist.de*2
ix.dnsbl.manitu.net*2
dnsbl-2.uceprotect.net
hostkarma.junkemailfilter.com=127.0.0.3
hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
# whitelists
swl.spamhaus.org*-4
list.dnswl.org=127.0.[0..255].[2;3]*-1
rep.mailspike.net=127.0.0.[17;18]*-1
rep.mailspike.net=127.0.0.[19;20]*-2
hostkarma.junkemailfilter.com=127.0.0.1*-1
At this moment the antispam server behind this postfix setup,
is 99.7% spam free.
A good check for rbl servers : http://multirbl.valli.org/
Best regards,
Louis
> -----Oorspronkelijk bericht-----
> Van: tansta...@libertytrek.org [mailto:owner-postfix-us...@postfix.org]
> Namens Tanstaafl
> Verzonden: woensdag 16 november 2016 13:40
> Aan: postfix-users@postfix.org
> Onderwerp: Re: regexp for allowing helo host
>
> On 11/15/2016 6:11 PM, Bill Cole
> <postfixlists-070...@billmail.scconsult.com> wrote:
> > Be aware that if you use reject_unknown_helo_hostname you will have a
> > steady stream of cases for which you will have to make special
> > exceptions. How steady that stream is depends more on your volume and
> > diversity of legitimate mail than on how heavily spammed you are.
>
> What Bill is saying here is using reject_unknown_helo_hostname to
> outright reject clients will reject legitimate clients, so unless you
> have a good reason for doing so and know what you are doing and are
> prepared to handle issues like you are experiencing now, or don't do it.
