 |
| Prev-20 | Home | Next-20 |
| Prev-20 | Home | Next-20 |
| Prev-Msg | Prev-Thread | Postfix-users | Jun-2007 | Next-Thread | Next-Msg |
| Subject: | Re: Pattern-matching in HELO |
| Group: | Postfix-users |
| From: | Noel Jones |
| Date: | 15 Jun 2007 |
>I am working on matching some particular spam in a helo_check.
>
>Where should I be looking to match? In the name the sending MTA
>provides or the one that is resolved in hard braces? Frequently they
>are two different things. Should I just try to match both? I
>apologize for being so clueless at the details of this stage of the
>SMTP conversation.
Here's an example Received: header..
Received: from heloname.example.com (rDNS.example.com [192.168.1.11])
by myhostname.tld (Postfix) with ESMTP id F04C4797856
for <recipient>; Thu, 14 Jun 2007 20:48:50 -0500 (CDT)
In the above example, heloname.example.com is the HELO hostname
issued by the client. rDNS.example.com is the verified client
hostname ("host 192.168.1.11" and then see if the hostname matches
the original IP) and will be "unknown" if the client hostname could
not be verified. Myhostname.tld is from the mail server, the id is
the QUEUEID recorded by postfix in the mail log. The "for
<recipient...>" part will only exist for single-recipient mail. The
date is from the mail server.
Normal postfix logging does not record the HELO hostname for mail
that is accepted since the helo name is trivially forged and in most
cases isn't relevant. If you want to always see the helo name,
either use something like "warn_if_reject static:reject" in one of
your restrictions, or there is a small patch in the archives that
adds the helo name to the client= log entry.
>This is what I am trying to match...nothing too complicated:
>
>(helo_checks file)
>/spamliveshere\.net/ 550 (hc-011) your email contains invalid contents.
>/technobabble/ 550 (hc-012) Go Away.
You should anchor your expressions with $ at the
end /example\.com$/. Be careful with single word expressions like
/technobable/ since they might match substrings in legit hostnames
(but maybe not in this particular case).
>Here is a snippet of main.conf referencing aformentioned file:
>
>(main.cf)
>...
>smtpd_recipient_restrictions =
> check_helo_access regexp:/etc/postfix/maps/helo_checks,
>...
You will probably want "permit_mynetworks, reject_unauth_destination"
before your helo checks.
Once you exempt your own clients, one of the most effective helo
checks is to reject your own hostname (and any domains you host) and
your own IP address.
>I don't seem to be successful in just dropping things at HELO when
>the mail comes into postfix. Perhaps I am just trying to catch it
>too early or too late.
A helo reject looks something like:
Jun 14 19:04:30 mgate2 postfix/smtpd[95296]: NOQUEUE: reject: RCPT
from rDNS.example.net[10.1.1.11]: 554 5.7.1 <mydomain.com>: Helo
command rejected: Text from your reject message here;
from=<sender> to=<recipient> proto=ESMTP
helo=<mydomain.com>
The text to search your log for is "reject: .* Helo command rejected".
Also note that this rejection happens after the client sends the RCPT
TO command, not when the client sends their HELO command.
--
Noel Jones
| Prev-Msg | Prev-Thread | Postfix-users | Jun-2007 | Next-Thread | Next-Msg |