|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: A Question About "check_client_access"
From: Noel Jones (njones
megan.vbhcs.org)
Date: Thu Oct 13 2005 - 21:16:21 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
At 07:42 PM 10/13/2005, Rich Shepard wrote:
>>> check_helo_access pcre:/etc/postfix/helo_checks
>>check this twice or more. check it with
>>helo=216.99.206.23.
>>If I were you, I'd just reject naked IP helo's. and
>>since you do reject_non_fqdn_hostname, I see no
>>reason to accept naked IPs in helo.
>
> Well, I do get a positive response here:
>
>[rootsalmo /etc/postfix]# postmap -q 216.99.206.23
>pcre:/etc/postfix/helo_checks
>550 Don't use my IP address.
>
> If I correctly understand the application of
> helo_checks, this means that
>the unknown IP address that tried to spoof my IP
>address would receive a
>rejection with the above additional text. Is this
>correct?
The client should have received the whole "550 Don't
use my IP address" message.
This is another good clue. The message is whitelisted
before this check.
So now you know the problem is above this.
You have rather complex restrictions, but I'm sure
that this problem is resolvable if you are willing to
keep at it.
Next step in debugging: Use telnet and XCLIENT to
duplicate the session that got through, use
debug_peer_list to log what's happening.
http://www.postfix.org/XCLIENT_README.html
http://www.postfix.org/postconf.5.html#debug_peer_list
--
Noel Jones
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]