smtpd_helo_restrictions puzzle

In main.cf, we have:

smtpd_helo_restrictions =
check_helo_access pcre:/etc/postfix/helo-pcre
reject_invalid_hostname

/etc/postfix/helo-pcre looks like this:

# Spamware artifacts
/^[0-9A-F]{8}$/i 451 that's an odd name

We have PCRE support and see its effects in access maps.
$ postconf -m
btree
cidr
environ
hash
nis
pcre
pgsql
proxy
regexp
sdbm
static
tcp
unix

Despite all that, a sender who says EHLO 3C82C868 gets through to postmaster.
Why? Where is postmaster exempted from smtpd restrictions?


But if I set

smtpd_delay_reject = no

the smtpd_helo_restrictions work.
Why does that make a difference?


Cameron

Cameron L. Spitzer wrote:
> In main.cf, we have:
>
> smtpd_helo_restrictions =
> check_helo_access pcre:/etc/postfix/helo-pcre
> reject_invalid_hostname
>
> /etc/postfix/helo-pcre looks like this:
>
> # Spamware artifacts
> /^[0-9A-F]{8}$/i 451 that's an odd name
>
> We have PCRE support and see its effects in access maps.
> $ postconf -m
> btree
> cidr
> environ
> hash
> nis
> pcre
> pgsql
> proxy
> regexp
> sdbm
> static
> tcp
> unix
>
> Despite all that, a sender who says EHLO 3C82C868 gets through to postmaster.
> Why? Where is postmaster exempted from smtpd restrictions?

Postfix has hardcoded exceptions from recipient restrictions
and sender verifications to satisfy the RFC rule that all mail
for postmaster should be accepted.

[Quoting RFC 2821]
SMTP systems are expected to make every reasonable effort to accept
mail directed to Postmaster from any other system on the Internet.
[End of Quote]

> But if I set
>
> smtpd_delay_reject = no
>
> the smtpd_helo_restrictions work.
> Why does that make a difference?

In this case, Postfix rejects the communication immediately after
the HELO phrase, not waiting to look for the recipient and thus not
knowing that the intended recipient would have been the postmaster
mailbox.

-Chris

In article <46924d67$0$20991$9b4e6d93@newsspool1.arcor-online.net>, Christian Winter wrote:
> Cameron L. Spitzer wrote:
>> # Spamware artifacts
>> /^[0-9A-F]{8}$/i 451 that's an odd name
>>
>>
>> Despite all that, a sender who says EHLO 3C82C868 gets through to postmaster.
>> Why? Where is postmaster exempted from smtpd restrictions?
>
> Postfix has hardcoded exceptions from recipient restrictions
> and sender verifications to satisfy the RFC rule that all mail
> for postmaster should be accepted.

I wonder whether it excepts abuse@ as well, per RFC2142. Where's this
feature documented?


> [Quoting RFC 2821]
> SMTP systems are expected to make every reasonable effort to accept
> mail directed to Postmaster from any other system on the Internet.

Sure, and that's why we make exceptions for postmaster in
the recipient maps. Maybe even give it a restriction class.

But in modern times, there are large chunks of the Internet from
where I don't even want email to postmaster. If the client's
hostname ends in .dialup.gvt.net.br, for example, or the
client's IPA is in 85.96.0.0/12 or zen.spamhaus.org, or the client
says HELO 3CAB1234. I guess I'll have to put those in
smtpd_(client|helo)_restrictions and turn off smtpd_delay_reject.



Cameron