OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Order of check vs. postgrey

From: Jon (jon_kiotk.net)
Date: Thu Jul 05 2007 - 19:12:25 CDT

Jorey Bump wrote:
> Jon wrote:
>
>>> In regular expressions, the brackets contain a list (or range) of
>>> characters, or classes. To match actual brackets, they must be escaped:
>>>
>>> /[\[\]]/
>>>
>>> But you don't want to do that. man egrep for more information.
>>
>> OK, thanks for explaining why it's not a match.
>>
>> But... why wouldn't I want to do that?
>>
>> It would seem to me an IP without a fqdn is an IP without a fqdn
>> whether it's enclosed or not. Once you've made the commitment to throw
>> out "xxx.xxx.xxx.xxx" where is "[xxx.xxx.xxx.xxx]" different?
>
> Because an address literal (a bracketed IPV4 IP address, in this case)
> is legal in a HELO/EHLO (see RFC 2821, sections 4.1.1.1 and 4.1.3).
>
> It's not a question of whether or not the HELO/EHLO contains a fqdn,
> it's about creating a expression that matches only (but not all) invalid
> HELO/EHLO strings, which this does:
>
> /^[[:digit:]\.-]*$/
>
> This represents just one safe subset of invalid HELO hostnames, allowing
> you to impose some restrictions without the risks associated with
> reject_invalid_helo_hostname or reject_non_fqdn_helo_hostname. Those
> directives work as advertised and will stop a fair amount of spam, but
> enough misconfigured hosts exist to cause problems.

Thanks for the explaining.

I think I might be coming at my root problem from the wrong angle
because I thought the two rejects you are listing would block what I
wanted and I have them in main.cf. I was trying to:

         /^[[:digit:]\.-]*$/ REJECT

because of a desire to stop things like this:

Jul 5 18:55:06 myserver postfix/smtpd[1138]: NOQUEUE: reject: RCPT from
unknown[121.55.124.22]: 450 4.7.1 <webmastermydomain.org>: Recipient
address rejected: Greylisted, see
http://isg.ee.ethz.ch/tools/postgrey/help/mydomain.org.html;
from=<aaronmorrisonvpdqearthlink.net> to=<webmastermydomain.org>
proto=SMTP helo=<earthlink.net>
Jul 5 18:55:07 myserver postfix/smtpd[1138]: lost connection after RCPT
from unknown[121.55.124.22]
Jul 5 18:55:07 myserver postfix/smtpd[1138]: disconnect from
unknown[121.55.124.22]

If I read this right, the first connection to myserver is 121.55.124.22
and the helo is a forged earthlink.net. The IP remains unresolvable when
I check it from multiple sources outside my network.
But the postfix checks work on the values supplied within < >, correct?

If so, is there a different reject in Postfix that can examine that
first line of connecting address and allow me to reject (or even temp
fail) because there is no DNS record?