postfix-users October 2010 archive
Main Archive Page > Month Archives  > postfix-users archives
postfix-users: Re: static map returns 554, causing message to be

Re: static map returns 554, causing message to be accepted

From: Noel Jones <njones_at_nospam>
Date: Mon Oct 04 2010 - 03:07:20 GMT

On 10/3/2010 7:34 AM, martin f krafft wrote:
> Dear list,
> I found that a lot of spam can be weeded out by rejecting clients
> who greet me with my own hostname. Initially, I achieved this with
> the following:
> smtpd_helo_restrictions =
> []
> check_helo_access pcre:$config_directory/reject_helo_myhostname
> reject_helo_myhostname:
> /^myhostname(\.mydomain)?$/ 554 do not impersonate me
> I then ran into problems when the host connected to itself through
> the loopback interface. Since I did not want to add
> permit_mynetworks to smtpd_helo_restrictions (I expect all machines
> on my network to pass the other helo restrictions), I went on to

You're shooting yourself in the foot by not using
permit_mynetworks. If they're authorized clients, you
shouldn't make them jump through the hoops intended for
potentially hostile outside connections.

> experiment with restriction classes. I now realise that there are
> other, more direct ways to achieve what I want, but I would still
> like to figure out a problem I ran into:
> smtpd_helo_restrictions =
> []
> check_helo_access pcre:$config_directory/reject_helo_myhostname
> smtpd_restriction_classes =
> []
> target_reject_helo_myhostname
> target_reject_helo_myhostname =
> permit_mynetworks
> sleep 10

You're tying up a valuable smtpd process by using the sleep 10
before reject. This is a fine way to create your own denial
of service. Get rid of unwanted connections as soon as possible.

> reject
> reject_helo_myhostname:
> /^myhostname(\.mydomain)?$/ target_reject_helo_myhostname
> This works, but I wanted to have a more verbose error message, so
> I replaced the last line with

Lots easier to just use
      /^myhostname(\.mydomain)?$/ REJECT don't use my hostname

> check_helo_access static:554 do not impersonate me
> Much to my surprise, this caused the message to be accepted.

The static: map type only returns the first element. This
could probably be better documented, but has been discussed on
this list numerous times.

As documented in access(5), an all-numeric response means
"OK". Anyway, you should be using 'REJECT' rather than a code
as a general rule.

> I now found a better solution, but I am still curious what I did
> wrong in using the static map.

Static maps are inappropriate for returning a custom response.
  Use a regexp: or pcre: map instead.

   -- Noel Jones