|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: What does check_helo_mx_access check?
From: Noel Jones (njones
megan.vbhcs.org)
Date: Mon May 03 2004 - 10:40:08 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, May 03, 2004 at 04:46:59PM +0200, Heinz Ulrich Stille wrote:
> Hi!
>
> I'm playing around with postfix 2.1.0 and spam controls.
> Just now I'm having trouble with ebay.com: Their server claims to be
> e.g. "mx46.sjc.ebay.com" in it's HELO. That address resolves to
> 10.6.182.166, which is a RFC 1918 private network. Strange enough,
> but no real problem.
>
> I've got "cidr" type maps for check_helo_access and check_helo_mx_access
> in smtpd_helo_restrictions, both containing a REJECT for 10.0.0.0/8.
>
> Why does ebay hit the helo_mx test but not the helo one? I put
> check_helo_access before check_helo_mx_access, and anyway the mail
> gets through if I remove the corresponding line from the mx map.
>
check_helo_access only checks the name provided by the client's
HELO/EHLO command, it does not attempt to resolve the name to an IP
address. So only a literal "10.0.0.1" HELO name will be caught by your
check_helo_access cidr map.
check_helo_mx_access does an MX lookup for the given HELO name, and
uses that result (or results in case of multiple MX records) for the
lookups. So a HELO name that resolves to a private address, such as a
load-balanced cluster might use, will be caught by your cidr table.
I have not found check_helo_mx_access to be particularly usefull,
others may have different experiences.
On the other hand, check_sender_mx_access and check_sender_ns_access
are quite useful for identifying associated spam domains.
--
Noel Jones
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]