LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   Postfix: How to stop domains that do not reverse DNS to ip with EHLO restrictions (https://www.linuxquestions.org/questions/linux-server-73/postfix-how-to-stop-domains-that-do-not-reverse-dns-to-ip-with-ehlo-restrictions-716150/)

Mogget 04-01-2009 03:02 PM
Postfix: How to stop domains that do not reverse DNS to ip with EHLO restrictions
 
Is it is possible to reverse DNS check the domain given with the EHLO/HELO command. Then reject/permit based on the reverse DNS telling me the IP connecting is/is not part of the network registered with that domain name. You will find a section of my configuration file and a dump of a telnet session with my server further down.

My /etc/postfix/main.cf looks like this.

Code:
smtpd_sender_restrictions =
  permit_mynetworks,
  reject_unknown_sender_domain,
  reject_non_fqdn_sender,
  reject_unknown_client_hostname,
  warn_if_reject,
  reject_sender_login_mismatch,
  permit_sasl_authenticated,
  permit

smtpd_helo_restrictions =
  permit_mynetworks,
  reject_unknown_helo_hostname,
  reject_non_fqdn_helo_hostname,
  reject_invalid_helo_hostname,
  permit_sasl_authenticated,
  permit

smtpd_data_restrictions = reject_unauth_pipelining

smtpd_client_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_unknown_client_hostname,
  permit

smtpd_etrn_restrictions = permit_mynetworks, reject

smtpd_recipient_restrictions =
  permit_mynetworks,
  reject_non_fqdn_recipient,
  warn_if_reject,
  reject_unknown_recipient_domain,
  reject_unauth_destination,
  permit_sasl_authenticated,
  reject_rbl_client safe.dnsbl.sorbs.net,
  reject_rbl_client zen.spamhaus.org,
  permit
And the dump from the telnet session.

Code:
[bookie@tintaglia ~]$ telnet some.server.net 25
Trying x.x.x.x...
Connected to some.server.net.
Escape character is '^]'.
220 some.server.net ESMTP Postfix
EHLO microsoft.com
250-some.server.net
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: devil@microsoft.com
250 2.1.0 Ok
RCPT TO: postmaster@some.server.net
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: devil@microsoft.com
To: Postmaster
Subject: You have been givven the chance to win serious money!

Hello, the devil talking here. You can now win serious money.
Just send me $50 and i will guarantee you thousands of dollar in return.
.
250 2.0.0 Ok: queued as 82D346624C

archangel_617b 04-02-2009 11:20 AM
Well, I don't know of any way to do this. I think this is basically why there's stuff like SPF (http://www.openspf.org/) and DKIM (http://www.dkim.org/).

I think what you'll find is that many sites do not provide a HELO which matches their reverse DNS.

- Arch

Mogget 04-02-2009 12:41 PM
Yeah i've been looking through logs and i realised that the sending site/person might be from a domain other than the mail relay they use so that will not work well. I'm not sure if the expected input on EHLO is the senders domain or the relays domain but either way this won't work. SPF looks interesting so i will have a look at that.

Thank you for taking the time to answer.


All times are GMT -5. The time now is 11:38 PM.