postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: static map returns 554, causing message to be

Re: static map returns 554, causing message to be accepted

From: Stan Hoeppner <stan_at_nospam>
Date: Sun Oct 03 2010 - 19:15:25 GMT
To: postfix-users@postfix.org

martin f krafft put forth on 10/3/2010 7:34 AM:
> Dear list,
>
> I found that a lot of spam can be weeded out by rejecting clients
> who greet me with my own hostname. Initially, I achieved this with
> the following:
>
> main.cf:
> smtpd_helo_restrictions =
> []
> check_helo_access pcre:$config_directory/reject_helo_myhostname
>
> reject_helo_myhostname:
> /^myhostname(\.mydomain)?$/ 554 do not impersonate me
>
> I then ran into problems when the host connected to itself through
> the loopback interface. Since I did not want to add
> permit_mynetworks to smtpd_helo_restrictions (I expect all machines
> on my network to pass the other helo restrictions) <snip>

TTBOMK, the proper way to do this is the method you are avoiding, which
is to implement permit_mynetworks in smtpd_helo_restrictions. Also note
you can do this just as easily with a hash table as with a PCRE table.
Excellent how-to:

http://www.unixwiz.net/techtips/postfix-HELO.html

I think you're currently making this more complicated than it needs to
be. If not, if you absolutely can't do it this way, and you're having
reinjection problems with content filters or policy daemons, simply add
something like this to the master.cf entry for the reinjection smtpd
listener:

daemon inet n - - - - smtpd
        -o smtpd_client_restrictions=
        -o smtpd_helo_restrictions=
        -o smtpd_sender_restrictions=
        -o smtpd_recipient_restrictions=permit_mynetworks,reject

If you don't already have a dedicated reinjection listener, that's a
problem, and you should set one up. You shouldn't be dumping mail
that's already been through a content filter or policy daemon back into
your public facing smtpd listener on localhost:25, which has all the
smtpd_foo_restrictions restrictions on it.

If you aren't currently eliminating these restrictions on reinjection
connections, you are doing extra unnecessary processing and throwing up
unnecessary roadblocks to internal trusted communications between your
Postfix processes. smtpd_foo_restrictions are designed to be used
against foreign public MTAs connecting to your public facing smtpd, not
against trusted internal processes.

-- Stan