On 5 Oct 2005 at 14:22, Herb Martin wrote about
"RE: [exim] Q: ACL HELO name checks ":
| > -----Original Message-----
| > From: exim-users-bounces@???
| > [mailto:exim-users-bounces@exim.org] On Behalf Of Michael Peek
|...
| > Is there a rule in the SMTP protocol that says the HELO name
| > has to match the remote sender's hostname/address in some way?
|
| Not really.
Well, if this doesn't draw fire from Greg Woods, I think we can
safely conclude he isn't lurking on this list anymore! Here's
hoping...
| > Maybe I should just chuck it out the window?
I'm with Michael, I also have the same HELO rejection criteria as he
does, and I inject a 40s delay (after RCPT TO:) if the HELO name
can't be verified (and it's not an authenticated session). For this,
verify = helo is useful.
However, I do an rDNS check to reject HELOs with a few commonly
forged domains (hotmail, yahoo, aol, etc) where it is known that
legitimate mail comes from servers with appropriate PTR names. That
seems quite reliable, but it has to be monitored in case one of the
domains starts sending via a server whose PTR name violates the
assumption.
| Or use it to drive greylisting rather than the
| simple rejection.
By all accounts that's very effective, but I haven't bothered for my
small domain.
- Fred