tir, 2003-04-01 kl. 14:47 skrev William Thompson:
> That'd force them to use an HELO of the reverse of their IP. I wouldn't do
> it this way on my server because I know there's host (me for instance) that
> send an HELO out that doesn't map to the reverse of it's IP, however it does
> resolve to my IP. I still think that denying based on an HELO of my
> internet IP is a good idea (since noone on the inside knows about my ouside
> IP)
But I already do this on sender_helo_name/sender_host_name - I just
didn't post it, since it wasn't relevant. No-one can claim he's my host
without being it, since I compare his IP number to mine.
[...]
> # Reject HELOs that contain IP addresses unless we are a relay for
> # them. I realize this might not be a good idea, but haven't seen
> # any legit HELOs to this server with IPs.
> deny !hosts = +relay_from_hosts
> message = HELO may not be an IP address
> condition = ${if match{$sender_helo_name}{\N^\[?\d+\.\d+\.\d+\.\d+\]?$\N}{yes}{no}}
As far as I'm concerned, no relay_from host may give an IP number in a
helo/ehlo. Nobody else, either. If necessary for yourself, you can use
sender_host_address or extract the client's IP number form
sender_fullhost - you don't need a regex.
> {eq{$sender_helo_name}{hotmail.com}} \
> {eq{$sender_helo_name}{msn.com}} \
For all of this stuff, you could do a lookup, once and for all.
Best,
Tony
--
Tony Earnshaw
e-post: tonni@???
www: http://www.billy.demon.nl
