-----Mensaje original----- De: owner-postfix-us...@postfix.org En nombre de Bill Cole Enviado el: martes, 28 de febrero de 2023 15:43 Para: Postfix users <postfix-users@postfix.org> Asunto: Re: Helo reject working?
On 2023-02-28 at 06:00:39 UTC-0500 (Tue, 28 Feb 2023 12:00:39 +0100) Jaroslaw Rafa <r...@rafa.eu.org> is rumored to have said: > Dnia 28.02.2023 o godz. 10:03:23 Alberto pisze: >> >> I see that almost all attacks do not have a valid FQDN, so I have set >> the "reject_non_fqdn_helo_hostname" directive in >> "smtpd_helo_restrictions" >> directive, which I see is in a previous phase, to reject it >> beforehand. >> >> However, it has no effect. The attacks continue to occur in the same >> way, and are rejected at the same point. >> >> >> >> Can you explain to me, why this happens? > > Because the default setting in Postfix is smtpd_delay_reject=yes . > > That means that all restrictions are evaluated at RCPT TO stage, so > you > cannot cause a reject earlier. Except, as in this case, when the would-be sender tries an unsupported command, e.g. AUTH. It's really not feasible to postpone rejection in those cases. +1 I've changed "smtp_delay_reject" directive to "no", because there are too many connections with this approach. All of them are attacks, and I don't want lose time or resources waiting to give an error in the following phase. I want to reject with this error. Thank you so much
