RE: Helo reject working?

Alberto Thu, 02 Mar 2023 07:24:41 -0800

-----Mensaje original-----
De: owner-postfix-us...@postfix.org En nombre de Alberto
Enviado el: jueves, 2 de marzo de 2023 16:11
Para: 'Postfix users' <postfix-users@postfix.org>
Asunto: RE: Helo reject working?

-----Mensaje original-----
De: owner-postfix-us...@postfix.org En nombre de Wietse Venema Enviado el:
jueves, 2 de marzo de 2023 15:50
Para: Postfix users <postfix-users@postfix.org>
CC: 'Postfix users' <postfix-users@postfix.org>; u...@porcupine.org
Asunto: Re: Helo reject working?

Alberto:
> Except, as in this case, when the would-be sender tries an unsupported 
> command, e.g. AUTH. It's really not feasible to postpone rejection in 
> those cases.
> 
> 
> +1
> I've changed "smtp_delay_reject" directive to "no", because there are 
> too many connections with this approach.
> All of them are attacks, and I don't want lose time or resources 
> waiting to give an error in the following phase.
> 
> I want to reject with this error.

Some legitmate senders are mis-configured, so it would be good to always
know the sender and recipient of blocked mail.

If you want to block clients without wasting Postfix SMTP server resources,
consider turning on postscreen. With this, many spambots don't even get to
talk to a Postfix SMTP sertver process.

https://www.postfix.org/POSTSCREEN_README.html

This will log sender and recipient information.

Postscreen relies on DNS reputation services. You would need to configure
your resolv.conf to use your own resolver, not a public one.

        Wietse



Thank you Wietse, I already have Postscreen, and blocks many attacks,
however, there are still a large amount that pass, and are managed by
Postfix, having as common approach, an incorrect hostname in the "helo".

Many senders are mis-configured, it's true, perhaps I'll set to "yes" again,
some time.

Best Regards,




In addition, I have configured PostScreen with the following RBLs and
weights:

postscreen_dnsbl_threshold = 6

postscreen_dnsbl_whitelist_threshold = -2

postscreen_dnsbl_sites =

    swl.spamhaus.org*-4

    list.dnswl.org=127.[0..255].[0..255].0*-2

    list.dnswl.org=127.[0..255].[0..255].1*-4

    list.dnswl.org=127.[0..255].[0..255].[2..255]*-6

    zen.spamhaus.org*3

    bl.spamcop.net*2


however, they pass the PostScreen filter...
...
Mar  2 13:02:41 MyServer postfix-in/dnsblog[13033]: addr 182.204.182.238
listed by domain zen.spamhaus.org as 127.0.0.11
│
Mar  2 13:02:41 MyServer postfix-in/dnsblog[13033]: addr 182.204.182.238
listed by domain zen.spamhaus.org as 127.0.0.3
+
Mar  2 13:02:41 MyServer postfix-in/dnsblog[13033]: addr 182.204.182.238
listed by domain zen.spamhaus.org as 127.0.0.2
│
Mar  2 13:02:47 MyServer postfix-in/postscreen[13029]: PASS NEW
[182.204.182.238]:60293
│
Mar  2 13:02:48 MyServer postfix-in/smtpd[13038]: connect from
unknown[182.204.182.238]
│
Mar  2 13:02:49 MyServer postfix-in/smtpd[13038]: NOQUEUE: reject: EHLO from
unknown[182.204.182.238]: 504 5.5.2 <ROTbB3nx>: Helo command rejected: need
fully-qualified hostname; proto=SMTP helo=<ROTbB3nx>  
...

 In these cases... Shouldn't they be rejected for this reason?

 and are rejected by Postfix, and the aforementioned "helo" directive

Regards,
RE: Helo reject working?

Reply via email to
