0

I have configured my postfix as follows:

smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_helo_hostname

This is working well because most spambots don't seem to have correct reverse lookups. But every once in a while I run into mail I care about getting reject, because the mail source server admin doesn't care about configuring his server correctly.

For example here the server introduces itself as "srv1.xbmc.org" which has no DNS record and fails my basic check.

Jan  6 04:42:36 mail postfix/smtpd[660]: connect from xbmc.org[205.251.128.242]
Jan  6 04:42:37 mail postfix/smtpd[660]: NOQUEUE: reject: RCPT from xbmc.org[205.251.128.242]: 450 4.7.1 <srv1.xbmc.org>: Helo command rejected: Host not found; from=<www-data@xbmc.org> to=<leho@domain.com> proto=ESMTP helo=<srv1.xbmc.org>

I have tried to contact the server admin several times, but there is no response. What is the optimal way to handle this from my side? Is adding these "special" hosts to mynetworks = my only option? Is perhaps my whole smtpd_helo_restrictions setup wrong in some significant way?

lkraav
  • 756
  • 1
  • 8
  • 21

4 Answers4

1

As you noted, there is no forward DNS entry for the hostname given by the remote mail server.

$ host srv1.xbmc.org
Host srv1.xbmc.org not found: 3(NXDOMAIN)

This isn't a significant problem, as these often are internal hostnames with no meaning on the public Internet.

For a complete list of things I do check for, see this answer on spam prevention. On my public mail servers, I never use reject_unknown_helo_hostname even though it's listed as a recommendation there (another user added it).

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • I now noticed I might've built my question incorrectly. Notice that xbmc.org introduces itself to my mail server as `450 4.7.1 `. That is the actual problem. There is no DNS record for it. – lkraav Jan 06 '13 at 19:36
  • Thanks for the spam-fight answer link, great material. No doubt I will need to upgrade my anti-spam setup, but there's no resource to embark upon it immediately. I'll leave this open until then. OTOH, I understand it's a lot of work to configure every little detail, but I think one's internal network names shouldn't really be able to get out and disturb the public network in this way. – lkraav Jan 07 '13 at 10:59
1

DO NOT use wholesale hostname rejection unless you plan to reject mail from most all automated systems out there. Yes, it's not entirely RFC-compliant, but no, they won't change it any time soon.

I generally recommend using

reject_unknown_reverse_client_hostname
warn_if_reject reject_unknown_helo_hostname
reject_invalid_helo_hostname

instead; this will log RFC-ignorant EHLO but still let them through.

Especially Exchange machines are notorious for using only the ugly netbios hostname to EHLO.

mc0e
  • 5,786
  • 17
  • 31
adaptr
  • 16,479
  • 21
  • 33
1

What is the optimal way to handle this from my side? you have 2 ways

Is adding these "special" hosts to mynetworks = my only option? No, it does

Is perhaps my whole smtpd_helo_restrictions setup wrong in some significant way? no, it has a general restriction rules.

The easiest way. You can skip checks for these host

smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access, reject_unknown_helo_hostname

Add the following line to the file

srv1.xbmc.org OK

and create the map file

# postmap /etc/postfix/helo_access
# service postfix restart

The hard way. You need to create your own restriction class

smtpd_restriction_classes = sender_white_list
sender_white_list = check_client_access hash:/etc/postfix/check_client_access, reject

smtpd_helo_restrictions =  permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/etc/postfix/check_helo_access

/etc/postfix/check_helo_access
srv1.xbmc.org sender_white_list

/etc/postfix/check_client_access
205.251.128.242 OK

With such configuration helo name "srv1.xbmc.org" would be permitted only from host ip 205.251.128.242

ALex_hha
  • 7,025
  • 1
  • 23
  • 39
0

....Quick and simple: Modify the Hosts file on your local machine. In this case given you would add the following line (using the tab key to create spae between the name and the IP address) to the /etc/hosts file and then save the file.

205.251.128.242 srv1.xbmc.org

Sixhammers