Re: Limiting HELO spoofing in Postfix?

Thu, 22 Oct 2020 22:27:49 -0700 

On 22/10/20 7:24 am, Rich Wales wrote:

I would still like to figure out a way, btw, to catch locally generated
spam of this sort in Postfix.  I've already asked here about rejecting
HELO/EHLO when the client is localhost but the HELO/EHLO host is not
localhost -- I still think this would make sense, but I'm getting the
clear impression that it's just not there and just isn't going to get
added.  Or maybe I can reduce my use of permit_mynetworks in my
configuration -- I am currently invoking permit_mynetworks in my client,
HELO, sender, relay, and recipient smtpd restrictions, maybe this is
excessive.



This sounds like the perfect candidate for a simple access policy. See: 
http://www.postfix.org/SMTPD_POLICY_README.html



In summary, you'd want to create a script in a language of your choice, 
which in the simplest case does this:


1. Reads in lines until a blank line.
2. Then sees if the lines that it read included the line
   "client_address=127.0.0.1".
3. If it did, then it checks if it also received the line
   "helo_name=localhost".
4. Then it outputs a result based on the results of steps #2 & #3:
     * If #2 matched and #3 matched, then it prints "dunno", followed
       by a blank line.
     * If #2 matched but #3 didn't, then it prints "reject You look
       like you're trying to get me to send spam", followed by a blank
       line.
     * If #2 didn't match, then it prints "dunno", followed by a blank
       line.


NB: The reason for using "dunno" (rather than "ok") is so that other 
following checks will still be performed.


Then:

1. Configure a new service in master.cf to run your script (using spawn).
2. Add "check_policy_service" into your smtpd_helo_restrictions option
   (before permit_mynetworks) to tell postfix to use the script.


Of course I've glossed over a lot of detail, and so I'd recommend 
reading the Postfix documentation and/or looking at some example 
policies (e.g. I use postfix-policyd-spf-python for SPF) to get your 
head around how policies work, before implementing what I suggested above.



Also remember "warn_if_reject" is your best friend when writing policy 
scripts! :-)


Nick.

























					Reply via email to