On Mon, 11 Feb 2008, Phil Pennock wrote:
>
> The second ACL:
> * accepts any HELO/EHLO supplied from the local host
> * rejects any HELO/EHLO which is an IP address where that IP address
> belongs to your local host
> * accepts any other HELO/EHLO
I recommend a stricter HELO check.
deny
message = Polite people say HELO first
condition = ${if !def:sender_helo_name }
deny
message = Please use your name when saying HELO (not $sender_helo_name)
condition = ${if or{{ eq{$ACL_HELO}{bad} } \
{ eq{$sender_helo_name}{$local_part} } \
{ match{$sender_helo_name}{^[0-9.-]+\$} } \
{ match{$sender_helo_name}{\N[.][.]|.{55}\N} } \
{ match_domain{$sender_helo_name}{+our_domains} }} }
set ACL_HELO = bad
This rejects email from hosts that
(a) omit HELO and EHLO
(b) say HELO joe / MAIL FROM:<whatever> / RCPT TO:<joe@whatever>
(c) say HELO <anything numeric, including IP addresses>
(d) say HELO <anything containing a double dot or that is very long>
(e) say HELO <any of our domains>
Tony.
--
<fanf@???> <dot@???>
http://dotat.at/ ${sg{\N${sg{\
N\}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}\
\N}{([^N]*)(.)(.)(.*)}{\$1\$3\$2\$1\$3\n\$2\$3\$4\$3\n\$3\$2\$4}}
