anti spam measures
in [Postfix]
|
Prev: Quotes with Dovecot+Ldap
Next: 3000 recipients
From: Sahil Tandon on 4 Jan 2010 20:37 On Mon, 04 Jan 2010, Steve wrote: > > > > I think that mostly it was HELO response verification that did it. > > > > BTW, is there a reason not block emails with incorrect HELO response? > > > > > > > None really, unless you need to accept mail from misconfigured > > > servers. (We do.) > > > > > Most of do (I would guess). > > > Stupid me. To fast typing: > Most of us do (I would guess). Indeed. This is why macho declarations like "we don't accept mail from misconfigured servers" are misguided. -- Sahil Tandon <sahil(a)tandon.net>
From: Thomas Harold on 5 Jan 2010 06:51
On 1/4/2010 5:40 PM, Roman Gelfand wrote: > Well, it looks like, perhaps, I found the missing link. After adding > s25r rules and HELO response verification in main.cf, no spam has > siped through. > > I think that mostly it was HELO response verification that did it. > BTW, is there a reason not block emails with incorrect HELO response? > Maybe... reject_invalid_helo_hostname http://www.postfix.org/postconf.5.html#reject_invalid_helo_hostname Is very safe, the sending system would have to really screw up their configuration in order to fall afoul of this rule. You're going to see a small handful every month. reject_non_fqdn_helo_hostname http://www.postfix.org/postconf.5.html#reject_non_fqdn_helo_hostname Since the HELO name is supposed to be a FQDN according to the RFCs, this one is also fairly safe. We see hundreds of thousands of hits on this rule every month - mostly from botnets with random 8-letter HELOs or systems that introduce themselves as "localhost". I've never seen a false positive complaint due to this check. reject_unknown_helo_hostname http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname http://tools.ietf.org/html/rfc5321#section-2.3.5 Reject the request when the HELO or EHLO hostname has no DNS A or MX record. While the RFC does require that the HELO name resolve back to a DNS record, it seems like the majority of Microsoft Exchange admins don't understand that rule. See RFC5321 section 2.3.5 where the first bullet point explains this "MUST". By default, Postfix responds with a 450 on this one. If you decide to change that to a 5xx (like 550) then make sure you're using Postfix 2.6 or later to avoid issues with temporary DNS errors. Postfix 2.6 added the unknown_helo_hostname_tempfail_action variable (default is defer_if_permit). This rule will cause you the most headaches. You will need to be prepared to whitelist misconfigured mail servers. The false-positive rate in my experience is between 1:1000 and 1:5000. Just high enough to be annoying. We had to whitelist a few dozen sites when we first implemented the check, now it's one site about every month. If I could change one thing in Postfix - it would be that this check would give a more descriptive error then simply "Host not found". |