[Samba] How "safe" is reject_unknown_helo_hostname?

L.P.H. van Belle belle at bazuin.nl
Fri Apr 26 14:33:28 UTC 2019 


Helo hostname MUST have resolvable hostname. 
Crazy or not, but i use this. 

The _access-allow parts for server you really trust. 

smtpd_client_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    check_client_access cidr:/etc/postfix/check_client_access-allow.cidr,
    reject_unknown_hostname,
    reject_non_fqdn_hostname,
    reject_invalid_hostname,
    reject_unknown_reverse_client_hostname,
    check_client_access cidr:/etc/postfix/check_client_access-reject.cidr,
    reject_unauth_pipelining

smtpd_helo_required = yes
smtpd_helo_restrictions =
    permit_mynetworks,
    reject_unauth_destination,
    check_helo_access pcre:/etc/postfix/check_helo_access-hostname-checks.pcre,
    check_helo_access hash:/etc/postfix/check_helo_access-allow.map,
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    reject_unknown_helo_hostname,
    reject_unauth_pipelining

Resulting in more happy customers since after my adviced changes to there servers, they now also have less spam.. 


Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: phils at caerllewys.net 
> [mailto:owner-postfix-users at postfix.org] Namens Phil Stracchino
> Verzonden: vrijdag 26 april 2019 15:47
> Aan: postfix-users at postfix.org
> Onderwerp: Re: How "safe" is reject_unknown_helo_hostname?
> 
> On 4/25/19 7:56 PM, Allen Coates wrote:
> > I have been looking at the configuration parameter
> > "reject_unknown_helo_hostname", with a view to using it to 
> resist spam.
> > 
> > I know it is reasonably safe to reject an incoming email on 
> an invalid or
> > non-fqdn HELO hostname, but *UNKNOWN?*
> > 
> > I don't receive a sufficient corpus of email to make a 
> reasoned judgment.
> > 
> > Your comments would be appreciated.
> 
> 
> I don't see a fundamental risk in rejecting mail from servers 
> claiming a
> HELO hostname that doesn't resolve.  If you're already going to reject
> HELO from non-fqdn or invalid hostnames, why accept it from ones that
> don't resolve at all?
> 
> 
> -- 
>   Phil Stracchino
>   Babylon Communications
>   phils at caerllewys.net
>   phil at co.ordinate.org
>   Landline: +1.603.293.8485
>   Mobile:   +1.603.998.6958
> 
>

More information about the samba mailing list