On 2021-12-21 at 09:38:23 UTC-0500 (Tue, 21 Dec 2021 14:38:23 +0000) White, Daniel E. (GSFC-770.0)[NICS] <daniel.e.wh...@nasa.gov> is rumored to have said:
How do I stop junk like… HELO example.com … without having to create a huge "check_helo_access" table ?
smtpd_{helo,sender,recipient,relay}_restrictions = [...], check_helo_access pcre:/etc/postfix/helo_checks [...], check_helo_{a,mx,ns}_access pcre:/etc/postfix/shit{a,mx,ns} [...],reject_invalid_helo_hostname, [...]
(Ellipses may contain whatever other restrictions you use in the particular list in the proper order for your priorities...)
Where helo_checks contains exemptions of well-meaning idiots with DUNNO and REJECT for patterns of technically valid HELO names (i.e. legal hostnames) which are always wrong (e.g. example.com, .*\.local, etc.) You can also use reject_non_fqdn_helo_hostname or reject_unknown_helo_hostname if you are willing to accept their false positives and exempt refractory legit sites accordingly. The check_helo_{a,mx,ns}_access restrictions are more arcane, but are useful if you see enough spam to identify relevant patterns. If you can use an external reputation source in DNSBL form like URIBL or the Spamhaus DBL, reject_rhsbl_helo also exists.
It is MUCH easier to apply over-strong reject_*_helo_hostname rules and with a preceeding exemption list used with check_helo_access than it is to build up your own comprehensive targeted blocking list.
-- Bill Cole b...@scconsult.com or billc...@apache.org (AKA @grumpybozo and many *@billmail.scconsult.com addresses) Not Currently Available For Hire
