[Samba] Helo Checks not always working?

Rowland penny rpenny at samba.org
Thu Jan 7 13:59:36 UTC 2016 

On 07/01/16 13:50, L.P.H. van Belle wrote:
> All i have is :
>
> smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
>
>   
>
> I disabled the unknown restriction due to lots of customers of me are missing PTR records, which needs to be set bij the internet provider.
>
> So they got blocked, i had to remove these.
>
>   
>
> The Helo check is often on the IT department can adjust them selfs.
>
> And most spammers have incorrect helo’s also.
>
>   
>
>   
>
> Greetz,
>
>   
>
> Louis
>
>   
>
>   
>
>
> Van: Thomas Nagel [mailto:tn-postfix at saarcube.de]
> Verzonden: donderdag 7 januari 2016 14:40
> Aan: L.P.H. van Belle
> Onderwerp: Re: Helo Checks not always working?
>
>
>   
>
> Hi,
>
> thank you - that makes a lot of sense - but you can't tell from the logfile ...
>
> is it ok to put in these or is it breaking something? I would think that I need at least permit_mynetworks & permit_sasl_authenticated in the smtpd_client_restrictions or do these permits permit and therby skip all other checks? Like smtpd_recipient and smtpd_sender?
>
> Thanks,
>
> Thomas.
>
>
> Am 07.01.2016 um 14:35 schrieb L.P.H. van Belle:
>
>
> These are 2 different things.
>
>   
>
> Unknow hostname is a missing PTR record
>
>   
>
> For that you can use :
>
> smtpd_client_restrictions = ...
>
>   
>
> "unknown" is also the name in the case of a temporary dns lookup failure. so using 5xx for all "unknown" is not a good idea.
>
>   
>
> # reject_unknown_client_hostname: requires that the address->name and name->address mappings exist, but also that the two mappings reproduce the client IP address
>
> # reject_unknown_reverse_client_hostname: Reject the request when the client IP address has no address->name mapping. This is a weaker restriction than the reject_unknown_client_hostname
>
>   
>
>   
>
> Greetz,
>
>   
>
> Louis
>
>   
>
>   
>
>   
>
>> -----Oorspronkelijk bericht-----
>> Van: tn-postfix at saarcube.de [mailto:owner-postfix-users at postfix.org]
>> Namens Thomas Nagel
>> Verzonden: donderdag 7 januari 2016 14:18
>> Aan: Postfix users
>> Onderwerp: Helo Checks not always working?
>> Hello,
>> we encountered a strange behaviour.
>> We enabled smtp_helo_restrictions:
>> smtpd_helo_required = yes
>> smtpd_helo_restrictions =
>>     permit_mynetworks,
>>     permit_sasl_authenticated,
>>     reject_unlisted_recipient,
>> # check_client_access hash:/etc/postfix/
>>     check_helo_access hash:/etc/postfix/check_helo_access
>>     reject_invalid_helo_hostname
>>     reject_non_fqdn_helo_hostname
>>     reject_unknown_helo_hostname
>> unknown_hostname_reject_code = 550
>> in the "check_helo_access" map there are only certain senders with their
>> special invalid HELOs whitelisted, but no "unknown" or the mentioned IP
>> adress.
>> Most of the time connectors with invalid DNS Records are blocked like
>> this:
>> Jan  3 06:36:21 server postfix/smtpd[23338]: connect from
>> unknown[190.11.55.217]
>> Jan  3 06:36:22 server postfix/smtpd[23338]: NOQUEUE: reject: RCPT from
>> unknown[190.11.55.217]: 504 5.5.2 <190.11.55.217>: Helo command
>> rejected: need fully-qualified hostname; from=<>
>> to=<example at example.com> proto=SMTP helo=<190.11.55.217>
>> - but sometimes we see this:
>> Jan  5 16:43:30 server postfix/smtpd[13577]: connect from
>> unknown[195.22.126.188]
>> Jan  5 16:43:30 server postgrey[2604]: action=pass, reason=recipient
>> whitelist, client_name=unknown, client_address=195.22.126.188,
>> sender=info at gmail.com, recipient=info at example.com
>> Jan  5 16:43:30 server postfix/smtpd[13577]: B064010A1B5E:
>> client=unknown[195.22.126.188]
>> Jan  5 16:43:30 server postfix/cleanup[13133]: B064010A1B5E:
>> message-id=<20160105094329.FAB7FFC87CC25243 at gmail.com>
>> Jan  5 16:43:30 server postfix/qmgr[4924]: B064010A1B5E:
>> from=<info at gmail.com>, size=2536, nrcpt=1 (queue active)
>> Jan  5 16:43:30 server postfix/smtpd[13577]: disconnect from
>> unknown[195.22.126.188]
>> Shouldn't this be blocked when the helo restrictions are applied? So the
>> mail shouldn't actually be passed on?
>> Thanks,
>> Thomas.
>   
>
>   
>
>

Hi Louis, You really must stop using outlook, this isn't the postfix 
mailing list :-D :-D :-D

Rowland

More information about the samba mailing list