Re: HELO regexp file not working to block unwanted sender

Mon, 25 Apr 2022 21:11:33 -0700 

On Mon, Apr 25, 2022 at 08:57:01PM -0700, Greg Earle wrote:

> [root@isolar tmp]# postconf -Px |grep check_helo_access
> submission/inet/mua_helo_restrictions = permit_mynetworks, 
> reject_non_fqdn_hostname, reject_non_fqdn_sender, 
> reject_non_fqdn_recipient, reject_invalid_hostname, check_helo_access 
> regexp:/etc/postfix/helo.regexp, reject_invalid_helo_hostname, 
> reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, permit
> 
> submission/inet/smtpd_helo_restrictions = permit_mynetworks, 
> reject_non_fqdn_hostname, reject_non_fqdn_sender, 
> reject_non_fqdn_recipient, reject_invalid_hostname, check_helo_access 
> regexp:/etc/postfix/helo.regexp, reject_invalid_helo_hostname, 
> reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, permit
> 
> smtps/inet/mua_helo_restrictions = permit_mynetworks, 
> reject_non_fqdn_hostname, reject_non_fqdn_sender, 
> reject_non_fqdn_recipient, reject_invalid_hostname, check_helo_access 
> regexp:/etc/postfix/helo.regexp, reject_invalid_helo_hostname, 
> reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, permit
> 
> smtps/inet/smtpd_helo_restrictions = permit_mynetworks, 
> reject_non_fqdn_hostname, reject_non_fqdn_sender, 
> reject_non_fqdn_recipient, reject_invalid_hostname, check_helo_access 
> regexp:/etc/postfix/helo.regexp, reject_invalid_helo_hostname, 
> reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname, permit

The above are submission (port 465 and 587) services, which handle
outbound mail from your users.  But the spammers are sending inbound
mail on port 25.

Your restrictions are a poor choice for submission, where you generally
would allow all authenticated clients, and reject all else.  I have
(reordered for clarity):

    $ postconf -Px submission/inet
    submission/inet/syslog_name = postfix/submission
    submission/inet/smtpd_tls_security_level = encrypt
    submission/inet/smtpd_sasl_auth_enable = yes
    submission/inet/smtpd_client_restrictions =
    submission/inet/smtpd_helo_restrictions =
    submission/inet/smtpd_sender_restrictions =
    submission/inet/smtpd_relay_restrictions = permit_sasl_authenticated,reject
    submission/inet/smtpd_recipient_restrictions =
    submission/inet/smtpd_data_restrictions =
    submission/inet/smtpd_end_of_data_restrictions =
    submission/inet/smtpd_milters =

-- 
    Viktor.

Reply via email to