Is it is possible to reverse DNS check the domain given with the EHLO/HELO command. Then reject/permit based on the reverse DNS telling me the IP connecting is/is not part of the network registered with that domain name. You will find a section of my configuration file and a dump of a telnet session with my server further down.
My /etc/postfix/main.cf looks like this.
Code:
smtpd_sender_restrictions =
permit_mynetworks,
reject_unknown_sender_domain,
reject_non_fqdn_sender,
reject_unknown_client_hostname,
warn_if_reject,
reject_sender_login_mismatch,
permit_sasl_authenticated,
permit
smtpd_helo_restrictions =
permit_mynetworks,
reject_unknown_helo_hostname,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
permit_sasl_authenticated,
permit
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_client_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_unknown_client_hostname,
permit
smtpd_etrn_restrictions = permit_mynetworks, reject
smtpd_recipient_restrictions =
permit_mynetworks,
reject_non_fqdn_recipient,
warn_if_reject,
reject_unknown_recipient_domain,
reject_unauth_destination,
permit_sasl_authenticated,
reject_rbl_client safe.dnsbl.sorbs.net,
reject_rbl_client zen.spamhaus.org,
permit
And the dump from the telnet session.
Code:
[bookie@tintaglia ~]$ telnet some.server.net 25
Trying x.x.x.x...
Connected to some.server.net.
Escape character is '^]'.
220 some.server.net ESMTP Postfix
EHLO microsoft.com
250-some.server.net
250-PIPELINING
250-SIZE 10240000
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
MAIL FROM: devil@microsoft.com
250 2.1.0 Ok
RCPT TO: postmaster@some.server.net
250 2.1.5 Ok
DATA
354 End data with <CR><LF>.<CR><LF>
From: devil@microsoft.com
To: Postmaster
Subject: You have been givven the chance to win serious money!
Hello, the devil talking here. You can now win serious money.
Just send me $50 and i will guarantee you thousands of dollar in return.
.
250 2.0.0 Ok: queued as 82D346624C