HELO Access restrictions

[Robert Schetterer]

Am 04.07.2017 um 22:10 schrieb Joachim Fahrner:
> Am 2017-07-04 22:01, schrieb Robert Schetterer:
> 
>>> Die Idee hinter den HELO restrictions war ja, dass Botnet Zombies normal
>>> keinen korrekt konfigurierten Hostnamen und DNS-Einträge haben.
>>
>> was definierst du als korrekt ?
> 
> Na dass der Rechner ein passendes Forward- und Reverse-DNS hat.
> 


gibt die postfix faq so als zwingend nicht her ,nach meiner Lesart

reject_invalid_helo_hostname (with Postfix < 2.3: reject_invalid_hostname)
    Reject the request when the HELO or EHLO hostname is malformed.
Note: specify "smtpd_helo_required = yes" to fully enforce this
restriction (without "smtpd_helo_required = yes", a client can simply
skip reject_invalid_helo_hostname by not sending HELO or EHLO).
    The invalid_hostname_reject_code specifies the response code for
rejected requests (default: 501).

und

reject_non_fqdn_helo_hostname (with Postfix < 2.3: reject_non_fqdn_hostname)
    Reject the request when the HELO or EHLO hostname is not in
fully-qualified domain or address literal form, as required by the RFC
<<<<<<<

im Gegensatz zu

reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_hostname)
    Reject the request when the HELO or EHLO hostname has no DNS A or MX
record.
    The reply is specified with the unknown_hostname_reject_code
parameter (default: 450) or unknown_helo_hostname_tempfail_action
(default: defer_if_permit). See the respective parameter descriptions
for details.
    Note: specify "smtpd_helo_required = yes" to fully enforce this
restriction (without "smtpd_helo_required = yes", a client can simply
skip reject_unknown_helo_hostname by not sending HELO or EHLO).





Best Regards
MfG Robert Schetterer

-- 
[*] sys4 AG

http://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG, 80333 München

Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein