reject unknown helo hostname

[James Day]

Just wanted to get public opinion on this one.

 

reject_unknown­_helo_hostname

 

My understanding is that to be RFC compliant your HELO greeting must be a valid hostname (ie there is a public A record).

 

However since implementing this restriction under smtpd_helo_restrictions I have had nothing but complaints from people who think their messages are being unfairly blocked.

 

I know we don’t live in a perfect world and not everybody is going to have a correctly configured mail server but I don’t think it is unreasonable for me to stick to my guns and reject these messages.

 

Having said that, some people have more influence than others and should they voice any concerns I would be forced to make some changes. With that in mind, what would be the best way to make exceptions?

 

My current line of thought is to use a check_helo_access map to make exceptions on a per server basis, is there a better way?

 

Kind regards,

 

James Day

(IT Engineer)

 

 

[/dev/rob0]

On Mon, Feb 06, 2012 at 01:36:09PM +0000, James Day wrote:
> reject_unknown_helo_hostname

Not safe for most use.

> My understanding is that to be RFC compliant your HELO greeting
> must be a valid hostname (ie there is a public A record).

Right.

> However since implementing this restriction under
> smtpd_helo_restrictions I have had nothing but complaints from
> people who think their messages are being unfairly blocked.
>
> I know we don't live in a perfect world and not everybody is going
> to have a correctly configured mail server but I don't think it is
> unreasonable for me to stick to my guns and reject these messages.

Depends on your site's needs. Good luck!

> Having said that, some people have more influence than others and
> should they voice any concerns I would be forced to make some
> changes. With that in mind, what would be the best way to make
> exceptions?

Precede it with a check_client_access lookup which lists your
whitelisted (influential, yet misconfigured) hosts.

> My current line of thought is to use a check_helo_access map to
> make exceptions on a per server basis, is there a better way?

That would be one of the worst choices, because a forged HELO cannot
easily be tested.
--
http://rob0.nodns4.us/ -- system administration and consulting
Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:

[Noel Jones]

On 2/6/2012 7:36 AM, James Day wrote:
> Just wanted to get public opinion on this one.
>
> reject_unknown­_helo_hostname

I don't use that restriction because there seem to be too many legit
hosts that fail, and not enough bad ones that do.

Don't forget you can use a restriction with warn_if_reject to get an
idea of what it does for a while before you "go live" with it.

Ultimately, anti-spam controls are quite site-specific. Listen to
advice, then do what works best for you.



-- Noel Jones

[James Day]

-----Original Message-----
From: owner-pos...@postfix.org [mailto:owner-pos...@postfix.org] On Behalf Of Noel Jones
Sent: 06 February 2012 14:19
To: postfi...@postfix.org
Subject: Re: reject unknown helo hostname

On 2/6/2012 7:36 AM, James Day wrote:
> Just wanted to get public opinion on this one.
>

> reject_unknown_helo_hostname

>I don't use that restriction because there seem to be too many legit hosts that fail, and not enough bad ones that do.

>Don't forget you can use a restriction with warn_if_reject to get an idea of what it does for a while before you "go live" with it.

>Ultimately, anti-spam controls are quite site-specific. Listen to advice, then do what works best for you.



> -- Noel Jones

Rob, Noel,

Thanks for your insight, as ever your advice is greatly appreciated.

[Jim Wright]

Hi, James.  I use this here, but mine is a small server.  When I see what looks like a real message that was blocked, I usually email the postmaster of the other system with a canned letter advising them of the issue and how to fix it.  It's usually just a line in their config that sets the helo name.  Sometimes I hear back and they're grateful for the pointer, sometimes I never hear back.

Other larger sites will silently drop mails from such misconfigured systems, though this isn't consistent.  If more systems would enforce this, I think it would be better for everyone involved.

Jim

On Feb 6, 2012, at 7:36 AM, James Day wrote:

Just wanted to get public opinion on this one.

 

reject_unknown _helo_hostname

 

My understanding is that to be RFC compliant your HELO greeting must be a valid hostname (ie there is a public A record).

 

However since implementing this restriction under smtpd_helo_restrictions I have had nothing but complaints from people who think their messages are being unfairly blocked.

 

I know we don’t live in a perfect world and not everybody is going to have a correctly configured mail server but I don’t think it is unreasonable for me to stick to my guns and reject these messages.

 

Having said that, some people have more influence than others and should they voice any concerns I would be forced to make some changes. With that in mind, what would be the best way to make exceptions?

 

My current line of thought is to use a check_helo_access map to make exceptions on a per server basis, is there a better way?

 

[Benny Pedersen]

Den 2012-02-06 14:36, James Day skrev:

My current line of thought is to use a check_helo_access map to make exceptions on a per server basis, is there a better way?

write to postm...@senderdomain.example.org perfectly done by users that complain :-)