|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Postfix article in Free Software Magazine
From: Victor Duchovni (Victor.Duchovni
MorganStanley.com)
Date: Fri Mar 04 2005 - 09:55:46 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, Mar 03, 2005 at 09:18:06PM -0600, Kirk Strauser wrote:
> On Thursday 03 March 2005 05:52 pm, Rob Chanter wrote:
>
> > Not bad. One thing did jump out at me. In this example:
> >
> > woozle.honeypot.net OK
> > honeypot.net REJECT You are not me. Shoo!
> > 208.162.254.122 REJECT You are not me. Shoo!
> >
> > you missed the opportunity to explain DUNNO in access maps, and give an
> > example that is an open relay to any host identifying itself as woozle.
>
> My understanding is that the check_helo_access can basically only
> *reject* and not allow (that is, OK would work like DUNNO later).
> Is that incorrect?
The smtpd_helo_restrictions are not final, they are followed by
smtpd_sender_restrictions and smtpd_recipient_restrictions. So
a "check_helo_access ..." used in ***smtpd_helo_restrictions***
can safely return OK (really meaning OK, not DUNNO), but this
only short-circuits the helo checks, and one still relies on
smtpd_recipient_restrictions to avoid open-relay problems.
If an unsafe "check_helo_access" is used too early in the
recipient restrictions, you are toast.
--
Viktor.
Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the "Reply-To" header.
To unsubscribe from the postfix-users list, visit
http://www.postfix.org/lists.html or click the link below:
<mailto:majordomopostfix.org?body=unsubscribe%20postfix-users>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]