> deny message = "HELO/EHLO required by SMTP RFC"
> condition = ${if eq{$sender_helo_name}{}{yes}{no}}
> .ifdef TEERGRUBE
> delay = TEERGRUBE
> .endif
Cleaner:
condition = ${if def:sender_helo_name {yes}{no}}
> deny message = "Invalid domain or IP given in HELO/EHLO"
> !condition = ${if match{$sender_helo_name}{\\\.}{yes}{no}}
> .ifdef TEERGRUBE
> delay = TEERGRUBE
> .endif
The double quotes will actually show up in the 550 response.
> deny message = Forged IP detected in HELO (it's mine) -
> $sender_helo_name
> hosts = !+relay_from_hosts
> condition = ${if
> eq{$sender_helo_name}{$interface_address}{yes}{no}}
> .ifdef TEERGRUBE
> delay = TEERGRUBE
> .endif
Why allow _any_ IP to be used as HELO/EHLO argument? This is not
valid per RFC. (If an IP address is used at all, it must be enclosed
in [square brackets]). So:
deny message = You gave me an IP address, I want your name.
condition = ${if isip {$sender_helo_name}{yes}{no}}
would work just fine... (this eliminates the need for some of your
other "deny" blocks as well).
> deny message = Forged hostname detected in HELO -
> $sender_helo_name
> # accept helo which is in local_domain if we relay or had
> smtp auth
> hosts = !+relay_from_hosts
> !authenticated = *
> log_message = Forged hostname detected in HELO -
> $sender_helo_name
> condition = ${if
> match_domain{$sender_helo_name}{+local_domains} {yes}{no}}
> .ifdef TEERGRUBE
> delay = TEERGRUBE
> .endif
Another way would be:
# Deny if $sender_helo_name resolves to our own address
#
deny message = Forged hostname detected in HELO -
$sender_helo_name
hosts = !+relay_from_hosts
!authenticated = *
log_message = Forget hostname detected in HELO -
$sender_helo_name
condition = ${if eq {${lookup dnsdb{a=$sender_helo_name}
{$value}}} \
{$interface_address} \
{yes}{no}}
-tor
