[Samba] Helo Checks not always working?

L.P.H. van Belle belle at bazuin.nl
Thu Jan 7 14:03:46 UTC 2016


Yes !! you totaly right..

When i make it, its gone within 1 month, the new mail setup is ready, and tested, only the migration todo ...  
But first snowboarding again next week..  :-))

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland penny
> Verzonden: donderdag 7 januari 2016 15:00
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Helo Checks not always working?
> 
> On 07/01/16 13:50, L.P.H. van Belle wrote:
> > All i have is :
> >
> > smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
> >
> >
> >
> > I disabled the unknown restriction due to lots of customers of me are
> missing PTR records, which needs to be set bij the internet provider.
> >
> > So they got blocked, i had to remove these.
> >
> >
> >
> > The Helo check is often on the IT department can adjust them selfs.
> >
> > And most spammers have incorrect helo’s also.
> >
> >
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
> >
> >
> >
> >
> >
> >
> > Van: Thomas Nagel [mailto:tn-postfix at saarcube.de]
> > Verzonden: donderdag 7 januari 2016 14:40
> > Aan: L.P.H. van Belle
> > Onderwerp: Re: Helo Checks not always working?
> >
> >
> >
> >
> > Hi,
> >
> > thank you - that makes a lot of sense - but you can't tell from the
> logfile ...
> >
> > is it ok to put in these or is it breaking something? I would think that
> I need at least permit_mynetworks & permit_sasl_authenticated in the
> smtpd_client_restrictions or do these permits permit and therby skip all
> other checks? Like smtpd_recipient and smtpd_sender?
> >
> > Thanks,
> >
> > Thomas.
> >
> >
> > Am 07.01.2016 um 14:35 schrieb L.P.H. van Belle:
> >
> >
> > These are 2 different things.
> >
> >
> >
> > Unknow hostname is a missing PTR record
> >
> >
> >
> > For that you can use :
> >
> > smtpd_client_restrictions = ...
> >
> >
> >
> > "unknown" is also the name in the case of a temporary dns lookup
> failure. so using 5xx for all "unknown" is not a good idea.
> >
> >
> >
> > # reject_unknown_client_hostname: requires that the address->name and
> name->address mappings exist, but also that the two mappings reproduce the
> client IP address
> >
> > # reject_unknown_reverse_client_hostname: Reject the request when the
> client IP address has no address->name mapping. This is a weaker
> restriction than the reject_unknown_client_hostname
> >
> >
> >
> >
> >
> > Greetz,
> >
> >
> >
> > Louis
> >
> >
> >
> >
> >
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: tn-postfix at saarcube.de [mailto:owner-postfix-users at postfix.org]
> >> Namens Thomas Nagel
> >> Verzonden: donderdag 7 januari 2016 14:18
> >> Aan: Postfix users
> >> Onderwerp: Helo Checks not always working?
> >> Hello,
> >> we encountered a strange behaviour.
> >> We enabled smtp_helo_restrictions:
> >> smtpd_helo_required = yes
> >> smtpd_helo_restrictions =
> >>     permit_mynetworks,
> >>     permit_sasl_authenticated,
> >>     reject_unlisted_recipient,
> >> # check_client_access hash:/etc/postfix/
> >>     check_helo_access hash:/etc/postfix/check_helo_access
> >>     reject_invalid_helo_hostname
> >>     reject_non_fqdn_helo_hostname
> >>     reject_unknown_helo_hostname
> >> unknown_hostname_reject_code = 550
> >> in the "check_helo_access" map there are only certain senders with
> their
> >> special invalid HELOs whitelisted, but no "unknown" or the mentioned IP
> >> adress.
> >> Most of the time connectors with invalid DNS Records are blocked like
> >> this:
> >> Jan  3 06:36:21 server postfix/smtpd[23338]: connect from
> >> unknown[190.11.55.217]
> >> Jan  3 06:36:22 server postfix/smtpd[23338]: NOQUEUE: reject: RCPT from
> >> unknown[190.11.55.217]: 504 5.5.2 <190.11.55.217>: Helo command
> >> rejected: need fully-qualified hostname; from=<>
> >> to=<example at example.com> proto=SMTP helo=<190.11.55.217>
> >> - but sometimes we see this:
> >> Jan  5 16:43:30 server postfix/smtpd[13577]: connect from
> >> unknown[195.22.126.188]
> >> Jan  5 16:43:30 server postgrey[2604]: action=pass, reason=recipient
> >> whitelist, client_name=unknown, client_address=195.22.126.188,
> >> sender=info at gmail.com, recipient=info at example.com
> >> Jan  5 16:43:30 server postfix/smtpd[13577]: B064010A1B5E:
> >> client=unknown[195.22.126.188]
> >> Jan  5 16:43:30 server postfix/cleanup[13133]: B064010A1B5E:
> >> message-id=<20160105094329.FAB7FFC87CC25243 at gmail.com>
> >> Jan  5 16:43:30 server postfix/qmgr[4924]: B064010A1B5E:
> >> from=<info at gmail.com>, size=2536, nrcpt=1 (queue active)
> >> Jan  5 16:43:30 server postfix/smtpd[13577]: disconnect from
> >> unknown[195.22.126.188]
> >> Shouldn't this be blocked when the helo restrictions are applied? So
> the
> >> mail shouldn't actually be passed on?
> >> Thanks,
> >> Thomas.
> >
> >
> >
> >
> >
> 
> Hi Louis, You really must stop using outlook, this isn't the postfix
> mailing list :-D :-D :-D
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba





More information about the samba mailing list