What do you people think about my following (early) attempt at a HELO check?
helo_try_verify_hosts = !127.0.0.1 : \N!^(.*\.|)(DOMAINS)$\N
[ ... ]
acl_smtp_helo = check_helo
[ ... ]
check_helo:
accept verify = helo
deny condition = ${if eq{$sender_helo_name}{}{yes}{no}}
message = RFCs mandate HELO/EHLO before mail can be sent
deny condition = ${if match
{${lc:$sender_helo_name}}{\N^(.*\.|)(DOMAINS)$\N}{1}{0}}
message = Do not pretend to be me, impostor!
warn message = X-Warning: Message sent with invalid HELO/EHLO
($sender_host [$sender_host_address] presented itself as $sender_helo_name)
accept
The idea is to combine the built-in check with an ACL in order to
"relax" the check a bit with respect to what connections are denied, but
give warning for everything that's not valid. Whether or not this will
work depends on the order of operations...
DOMAINS is a '|'-separated (regexp format) list of all the local domains.
- Toralf
