[Samba] Helo Checks not always working?
L.P.H. van Belle
belle at bazuin.nl
Thu Jan 7 13:50:32 UTC 2016
All i have is :
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
I disabled the unknown restriction due to lots of customers of me are missing PTR records, which needs to be set bij the internet provider.
So they got blocked, i had to remove these.
The Helo check is often on the IT department can adjust them selfs.
And most spammers have incorrect helo’s also.
Greetz,
Louis
Van: Thomas Nagel [mailto:tn-postfix at saarcube.de]
Verzonden: donderdag 7 januari 2016 14:40
Aan: L.P.H. van Belle
Onderwerp: Re: Helo Checks not always working?
Hi,
thank you - that makes a lot of sense - but you can't tell from the logfile ...
is it ok to put in these or is it breaking something? I would think that I need at least permit_mynetworks & permit_sasl_authenticated in the smtpd_client_restrictions or do these permits permit and therby skip all other checks? Like smtpd_recipient and smtpd_sender?
Thanks,
Thomas.
Am 07.01.2016 um 14:35 schrieb L.P.H. van Belle:
These are 2 different things.
Unknow hostname is a missing PTR record
For that you can use :
smtpd_client_restrictions = ...
"unknown" is also the name in the case of a temporary dns lookup failure. so using 5xx for all "unknown" is not a good idea.
# reject_unknown_client_hostname: requires that the address->name and name->address mappings exist, but also that the two mappings reproduce the client IP address
# reject_unknown_reverse_client_hostname: Reject the request when the client IP address has no address->name mapping. This is a weaker restriction than the reject_unknown_client_hostname
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: tn-postfix at saarcube.de [mailto:owner-postfix-users at postfix.org]
> Namens Thomas Nagel
> Verzonden: donderdag 7 januari 2016 14:18
> Aan: Postfix users
> Onderwerp: Helo Checks not always working?
>
> Hello,
>
> we encountered a strange behaviour.
>
> We enabled smtp_helo_restrictions:
>
> smtpd_helo_required = yes
>
> smtpd_helo_restrictions =
> permit_mynetworks,
> permit_sasl_authenticated,
> reject_unlisted_recipient,
> # check_client_access hash:/etc/postfix/
> check_helo_access hash:/etc/postfix/check_helo_access
> reject_invalid_helo_hostname
> reject_non_fqdn_helo_hostname
> reject_unknown_helo_hostname
>
> unknown_hostname_reject_code = 550
>
> in the "check_helo_access" map there are only certain senders with their
> special invalid HELOs whitelisted, but no "unknown" or the mentioned IP
> adress.
>
> Most of the time connectors with invalid DNS Records are blocked like
> this:
>
>
> Jan 3 06:36:21 server postfix/smtpd[23338]: connect from
> unknown[190.11.55.217]
> Jan 3 06:36:22 server postfix/smtpd[23338]: NOQUEUE: reject: RCPT from
> unknown[190.11.55.217]: 504 5.5.2 <190.11.55.217>: Helo command
> rejected: need fully-qualified hostname; from=<>
> to=<example at example.com> proto=SMTP helo=<190.11.55.217>
>
> - but sometimes we see this:
>
> Jan 5 16:43:30 server postfix/smtpd[13577]: connect from
> unknown[195.22.126.188]
> Jan 5 16:43:30 server postgrey[2604]: action=pass, reason=recipient
> whitelist, client_name=unknown, client_address=195.22.126.188,
> sender=info at gmail.com, recipient=info at example.com
> Jan 5 16:43:30 server postfix/smtpd[13577]: B064010A1B5E:
> client=unknown[195.22.126.188]
> Jan 5 16:43:30 server postfix/cleanup[13133]: B064010A1B5E:
> message-id=<20160105094329.FAB7FFC87CC25243 at gmail.com>
> Jan 5 16:43:30 server postfix/qmgr[4924]: B064010A1B5E:
> from=<info at gmail.com>, size=2536, nrcpt=1 (queue active)
> Jan 5 16:43:30 server postfix/smtpd[13577]: disconnect from
> unknown[195.22.126.188]
>
> Shouldn't this be blocked when the helo restrictions are applied? So the
> mail shouldn't actually be passed on?
>
> Thanks,
>
> Thomas.
More information about the samba
mailing list