David Snowden wrote:
> We have a director that uses "senders =" to restrict access to
> certain features based on them being in our local domain.
>
> However, I have noticed that if a spammer uses our local domain name
> in a forged HELO/EHLO command then the director is fooled into
> thinking that this message has originated locally and can use this
> particular facility.
>
> What would be the best way around this?
>
> I could try using helo_verify_hosts to block the forged HELO/EHLOs,
> but I seem to recall from previous discussions on the list that that
> can lead to the rejection of a lot of genuine connections from
> misconfigured sites whose HELO/EHLO address doesn't match the
> hostname from a reverse DNS lookup of their IP address.
I'm using the following in the acl_check_rcpt ACL:
# Forged HELOs
deny message = Forged hostname detected in HELO - $sender_helo_name
hosts = !+relay_from_hosts
log_message = Forged hostname detected in HELO -
$sender_helo_name
condition =
${lookup{$sender_helo_name}dbm{/etc/mail/localdomains.db}{yes}{no}}
deny message = Forged IP detected in HELO - $sender_helo_name
hosts = !+relay_from_hosts
log_message = Forged IP detected in HELO: $sender_helo_name
condition = ${if
eq{$sender_helo_name}{$interface_address}{yes}{no}}
In this case, /etc/mail/localdomains.db is a db file with my local
domains in it, and relay_from_hosts is the list of IP addresses that are
allowed to relay mail through the server (internal addresses).
You're correct that doing the verify during HELO/EHLO time is not good
since many broken MTAs will continue to retry over and over; a reject
after RCPT TO tends to work better with those ill-behaved MTAs.
--
Steve Luzynski
Aquila, Inc.