L.P.H. van Belle [2016-11-16 13:59 +0100] :
> I suggest you read :
> http://faculty.cs.niu.edu/~rickert/cf/bad-ehlo.html
>
> personaly i use the following.
> smtpd_helo_restrictions =
> permit_mynetworks,
> check_helo_access pcre:/etc/postfix/pcre/helo.pcre
> check_helo_access hash:/etc/postfix/overrule/allow_helo_access.map
> reject_invalid_helo_hostname,
> reject_non_fqdn_helo_hostname,
> reject_unknown_helo_hostname,
> reject_unauth_destination
>
> and in the helo.pcre
> ## Namebase
> /^localhost$/ 554 Don't use my own hostname
> /^localhost\.localdomain$/ 554 Don't use my own hostname
> /^domain\.tld$/ 554 Don't use my own domainname
> /^hostname\.domain\.tld$/ 554 Don't use my own hostname
>
> ## IP Based
> /^127\.0\.0\.1$/ 554 Don't use my own IP address
> /^\[127\.0\.0\.1\]$/ 554 Don't use my own IP address
> /^\:\:1$/ 554 Don't use my own IP address
> /^\[\:\:1\]$/ 554 Don't use my own IP address
> /^\1\.2\.3\.4$/ 554 Don't use my own IP address
>
> And change domain.tld to you domain.
> Here you need all names know to you server ( for accepting mail )
> And change ip 1.2.3.4 to you ip.
>
> The allow_helo_access.map is use for anoying customers to allow them.
> I give them 2 weeks to fix there setup.
> Also due to changes in dutch law, im oblgated to check the helo for
> correctness.
>
> Normaly i just refer to these links.
> rfc2821 section-3.6 en 4.1.1.1 en 10.3 en rfc5321 section 2.3.5)
> https://www.ietf.org/rfc/rfc2821.txt
> https://www.ietf.org/rfc/rfc5321.txt
>
> and lots of misconfigured exchange server ( most the .local domains )
> https://technet.microsoft.com/EN-US/library/jj657457(v=exchg.150).aspx
> Lots of them forget to adjust the outgoing smtp connectos.
>
> And best of all. ( to avoid spam ) the use of postscreen.
> Example:
> ### Before-220 tests (postscreen / DNSBL)
> postscreen_greet_banner = $myhostname, checking blacklists, please
> wait.
> postscreen_greet_wait = 3s
> postscreen_greet_ttl = 2d
> postscreen_access_list =
> permit_mynetworks,
> cidr:/etc/postfix/cidr/postscreen_whitelist_access.cidr,
> cidr:/etc/postfix/cidr/drop.spamhaus-lasso.cidr
> postscreen_dnsbl_reply_map =
> pcre:/etc/postfix/pcre/postscreen_dnsbl_reply_map.pcre
> postscreen_blacklist_action = drop
> postscreen_dnsbl_action = enforce
> postscreen_greet_action = enforce
> postscreen_dnsbl_ttl = 2h
> postscreen_dnsbl_threshold = 4
> postscreen_dnsbl_sites =
> b.barracudacentral.org*4
> bad.psky.me*4
> zen.spamhaus.org*4
> dnsbl.cobion.com*2
> bl.spameatingmonkey.net*2
> fresh.spameatingmonkey.net*2
> dnsbl.anonmails.de*2
> dnsbl.kempt.net*1
> dnsbl.inps.de*2
> bl.spamcop.net*2
> dnsbl.sorbs.net*1
> spam.dnsbl.sorbs.net*2
> psbl.surriel.com*2
> bl.mailspike.net*2
> rep.mailspike.net=127.0.0.[13;14]*1
> bl.suomispam.net*2
> bl.blocklist.de*2
> ix.dnsbl.manitu.net*2
> dnsbl-2.uceprotect.net
> hostkarma.junkemailfilter.com=127.0.0.3
> hostkarma.junkemailfilter.com=127.0.0.[2;4]*2
> # whitelists
> swl.spamhaus.org*-4
> list.dnswl.org=127.0.[0..255].[2;3]*-1
> rep.mailspike.net=127.0.0.[17;18]*-1
> rep.mailspike.net=127.0.0.[19;20]*-2
> hostkarma.junkemailfilter.com=127.0.0.1*-1
>
> At this moment the antispam server behind this postfix setup,
> is 99.7% spam free.
> A good check for rbl servers : http://multirbl.valli.org/
Thanks for sharing your configuration and links. All very helpful
-- and multirbl.valli.org is a great tool!
Niklaas
