Hi,
[apologies for turning SA-Talk into a chapter of "Postfix Configuration
For Dummies"...]
On Fri, 27 Jun 2003, Ralf Hildebrandt wrote:
> * Bob Apthorpe <[EMAIL PROTECTED]>:
> > reject_unknown_hostname drops connections from machines without DNS A or
> > MX record (twitchy)
>
> No. This rejects mail from machines that use a non-resolving hostname
> as argument to the EHLO/HELO.
Rather, no rDNS (PTR)?
> > hash:$config_directory/ffd_source ostensibly does some sanity checks on
> > mail purporting to come from freemail services (a hack I picked up on
> > SPAM-L)
>
> What's in there?
Remember, I didn't write this and I'm only vaguely aware of what it does.
A simple explanation would help, else I need to go back to the Postfix
book & docs and suss it out for myself, eventually.
Anyway, in /etc/postfix/main.cf we find:
smtpd_sender_restrictions = permit_mynetworks, hash:/etc/postfix/access,
reject_unknown_address, reject_non_fqdn_sender,
hash:$config_directory/ffd_source
smtpd_restriction_classes = from_ffd_host
from_ffd_host = check_client_access
hash:$config_directory/ffd_allowed_hosts, reject
/etc/postfix/ffd_source contains:
# Frequently Forged Domains.
#
# Only accept mail claiming to be from these domains (based on HELO and/or
# SENDER DOMAIN) when the client is within a domain listed in the map
# ffd_allowed_hosts.
#
# Technically, these can be forged amongst themselves, but we do not
# expect hotmail servers to claim to be aol.com senders. (hotmail and msn
# are interchangable, though.) If the client we are connected to is not
# in one of these domains, reject the mail.
yahoo.com from_ffd_host
aol.com from_ffd_host
hotmail.com from_ffd_host
msn.com from_ffd_host
# __END__
/etc/postfix/ffd_allowed_hosts contains:
# See commentary in ffd_source.
aol.com OK
msn.com OK
hotmail.com OK
yahoo.com OK
# citysearch does evite sending
citysearch.com OK
# maybe add forwarding services like acm.org or pobox.com to this list.
# __END__
> > and hash:$config_directory/moron_bypass allegedly whitelists
> > connections from borked-but-borked servers. I'm not sure if it works.
>
> It should. Note that it only whitelists by the HELO/EHLO argument.
> E.g. if a host uses
> wrong_syntax.domain.com
> as HELO, then whitelisting would be done using
>
> wrong_syntax.domain.com OK
Hrm, things may be broken (still learning how to do access control with
hashes, etc.) /etc/postfix/moron_bypass contains:
# Temporary bypass for legit but ill-mannered hosts
# [EMAIL PROTECTED], please fix your mailer
2note1 OK
# Hotmail dimbulbs
65.54.251.13 OK
mc5-s4.law1.hotmail.com OK
# Los Bastardos
# *.client.attbi.net
# __END__
The intent is to pass through the following:
Jun 13 16:58:23 soyokaze postfix/smtpd[28302]: reject: RCPT from
unknown[65.54.251.13]: 450 <mc5-s4.law1.hotmail.com>: Helo command
rejected: Host not found; from=<> to=<[EMAIL PROTECTED]>
Jun 25 22:10:29 soyokaze postfix/smtpd[14120]: reject: RCPT from
cs9356-145.austin.rr.com[24.93.56.145]: 504 <2note1>: Helo command
rejected: need fully-qualified hostname; from=<[EMAIL PROTECTED]>
to=<[EMAIL PROTECTED]>
Ignore the client*.attbi.net stuff; that traffic should be dropped
elsewhere (TBD.)
This is all from a rusty version of Postfix ('rpm -qa | egrep postfix' ->
postfix-20010228pl03-9)
hth,
-- Bob
-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Spamassassin-talk mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
