On Wed, 7 Jul 2004, Jeff Green wrote:
> I'll probably catch flack for doing this deny at this stage,
More likely, flak for offering a one-off response to something for
which there's already a peer-reviewed answer in the FAQ.
Way back, we tried kicking them off at the HELO stage, but far too
many hosts responded by frantically trying again. So we deferred the
rejection till later.
Discussion on this list has suggested that such manic behaviour is no
longer frequent enough to worry about, so maybe you're OK on that
score now. We're still doing what we did before.
Don't forget the mandate to accept mails to the postmaster. If you
kick them off at the HELO stage, you lose that option.
> # do not accept this host's own IP address
> deny message = invalid greeting
> log_message = (ACL) Connecting host using our address in EHLO/HELO
> condition = ${if eq{$sender_helo_name}{24.234.158.164}{1}{0}}
If you do "deny" rather than "drop", then don't forget to test again
later, e.g in the RCPT ACL; otherwise, senders who got 5xx to their
HELO (or who never bothered to say HELO at all) can still trundle on
regardless, and send a mail - contrary to your intentions.
That's why reading the FAQ and taking (in this case) recipe C049 is
better than taking random discussion snippets offered on a one-off
basis, IMNSHO.
We typically add a "delay" to the end of rejection conditions, in an
attempt to cut down on repetitious misbehaviour. A few tens of
seconds, typically.
h.t.h
