Re: verify helo host
This is a discussion on Re: verify helo host within the mailing.postfix.users forums, part of the Mail Servers and Related category; Beast wrote: > > Consider this folowing header: > > Received: from mail.yahoo.com (unknown [82.201.235.60]) ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
06-04-2005
|
|||
|
|||
Re: verify helo host
Beast wrote:
> > Consider this folowing header: > > Received: from mail.yahoo.com (unknown [82.201.235.60]) by > mail.example.com (Postfix) with ESMTP id AA88BE7944 for > <victim@example.com>; Fri, 3 Jun 2005 22:22:58 +0700 (WIT) > > Any parameter to ensure that IP of connecting host is same (or at least > resolve) to whatever domain in helo host? > some well-known sites use non resolving helos, so you'd get false positives if you use reject_unknown_hostname. if you try forcing rdns matching, then you'll even more false positives. instead, enforce "weak matching" for a selected listed of big ISPs (those frequently forged). smtpd_restriction_classes = ... forged_isp smtpd_recipient_restriction = ... reject_unauth_destination ... check_helo_access hash:$path/forged_isp_helo ... forged_isp = check_client_access hash:$path/forged_isp_client reject # cat forged_isp_helo yahoo.com forged_isp ..yahoo.com forged_isp hotmail.com forged_isp ..hotmail.com forged_isp .... #cat forged_isp_client yahoo.com OK ..yahoo.com OK .... this will reject helo [*.]yahoo.com unless the client is in one of the listed domains. note that client from yahoo.com can then helo with hotmail.com, but that's just silly. If you want more granular control, you'll need a policy service (as having N restriction classes and 2*N hash files is unmanageable). 
|
Linear Mode
