From: Noel Jones (njonesmegan.vbhcs.org)
Date: Fri Aug 27 2010 - 21:11:45 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 8/27/2010 8:36 PM, pf at alt-ctrl-del.org wrote:
>>> Wietse:
>>> > pf at alt-ctrl-del.org:
>>> >> Noel Jones, August 27, 2010 3:56 PM:
>>> >> >
>>> >> >> On: August 27, 2010 2:23 PM, I wrote:
>>> >> >>> Is there any known policy server or add-on, that
>>> will change
>>> >> >>> the tempfail action after a couple of hours, for
>>> things like
>>> >> >>> reject_unknown_client_hostname and
>>> >> >>> reject_unknown_client_hostname?
>>> >> >>>
>>> >> >>> I guess it would be an adaptation of greylisting,
>>> >> >>>
>>> >> >>> Anything like that out there?
>>> >> >>>
>>> >> >>
>>> >> >> Well, the first half was easy. I just made a few
>>> minor changes
>>> >> >> to the example greylist.pl.
>>> >> >> My greyhelo.pl works from the example test of: perl
>>> >> >> greyhelo.pl (bunch of attributes)
>>> >> >>
>>> >> >> But how to call it, only when a client fails
>>> >> >> reject_unknown_helo_hostname?
>>> >> >> The following does not work:
>>> >> >> unknown_helo_hostname_tempfail_action =
>>> check_policy_service
>>> >> >> unix:private/greyhelo
>>> >> >
>>> >> > You'll have to call the policy service for each mail, and
>>> >> > recreate the reject_unknown_* tests in your policy
>>> server.
>>> >> > That's the only way you can detect temp failures.
>>> >> >
>>> >>
>>> >> So I'd have to test for nxdomain, against
>>> $attr{"helo_name"}?
>>> >
>>> > Postfix already replies with a 5XX for an NXDOMAIN result.
>>> >
>>> ??
>>> nslookup mailserver.jtl.co.in
>>> google-public-dns-a.google.com can't find
>>> mailserver.jtl.co.in: Non-existent
>>> domain
>>>
>>> NOQUEUE: reject: RCPT from
>>> outgoing.jeevantechnologies.com[61.12.114.170]:
>>> 450 4.7.1 <mailserver.jtl.co.in>:
>>> Helo command rejected: Host not found;
>>> proto=ESMTP helo=<mailserver.jtl.co.in>
>>
>> postconf | grep 450
>
> Wietse, I was looking for a way to do both temporary and
> permanent rejects.
> Not one or the other.

With unknown_hostname_reject_code set to 550, NXDOMAIN hosts
will be rejected, and temporary error hosts will get the
unknown_helo_hostname_tempfail_action (default
DEFER_IF_PERMIT). So you do get both.

> Default to a temporary reject for temporary errors, then
> return a permanent
> reject to a specific client after x attempts or x hours.
>
> Greylisting gives a default defer, then dunno after x minutes.
> I was thinking along the lines of default defer, then reject
> after x
> minutes, for reject_unknown_helo_hostname clients.

Any kind of counting will need to be done in a policy server.
Maybe you can cheat and only pass the clients that tempfail to
the policy server, try this:

# main.cf
unknown_hostname_reject_code = 550

Hmmm, I bet the check_policy_service will need to be in a
restriction class... Continuing main.cf:

unknown_helo_hostname_tempfail_action = helo_tempfail_test
smtpd_restriction_classes = helo_tempfail_test
helo_tempfail_test =
   check_policy_service foo:bar

where foo:bar is the policy service endpoint.

   -- Noel Jones

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]