EHLO restrictions and address literals

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

EHLO restrictions and address literals

J Doe
Hi,

I have a question regarding restrictions I can place on EHLO in the smtpd_helo_restrictions parameter.

I have a Postfix server that is Internet facing.  I periodically receive e-mail where the other MTA sends a EHLO of an address literal.  I checked RFC 5321 (SMTP), and confirmed that this is valid (because I imagine someone might have a MTA internal to their network and they might not have DNS names for everything), however in nearly almost every case that an address literal is presented, it’s from someone attempting to deliver spam.

My initial thought was I could stop this with:

        main.cf
                . . .
                smtpd_helo_restrictions =
                        . . .
                        reject_non_fqdn_helo_hostname,
                        . . .

…however when I checked the Postfix documentaion[1] for this parameter I read:

        Reject the request when the HELO or EHLO hostname is not in fully-qualified domain *or address literal form* . . .

I glanced briefly to see if there were any other ways to restrict this but none seemed evident to me.

Is there a way to achieve this ?  Alternatively, should I not be attempting to do this because legitimate server’s sometimes EHLO address literals ?

Thanks,

- J

[1] http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions
Reply | Threaded
Open this post in threaded view
|

Re: EHLO restrictions and address literals

Viktor Dukhovni
> On Sep 11, 2019, at 5:05 PM, J Doe <[hidden email]> wrote:
>
> Is there a way to achieve this ?  Alternatively, should I not be attempting to do this because legitimate server’s sometimes EHLO address literals ?

You could try something like:

        ...
        warn_if_reject check_helo_access pcre:${config_directory}/helo-access
        ...

    helo-access:
        /^\[/ 454 4.7.1 EHLO domain-literals not accepted here

And see whether that'll work out for you.  This only logs warnings
when EHLO domain-literals would be rejected, but the message may
still be rejected by later restrictions.  If you see enough warnings
for messages that are not in any case rejected, and no false positives,
you could try removing the 'warn_if_reject', and watch the soft rejects
for a while.  If that works out, change the '4XX' to '5XX'.

--
        Viktor.

Reply | Threaded
Open this post in threaded view
|

Re: EHLO restrictions and address literals

Bill Cole-3
In reply to this post by J Doe
On 11 Sep 2019, at 17:05, J Doe wrote:

> I glanced briefly to see if there were any other ways to restrict this
> but none seemed evident to me.

> Is there a way to achieve this ?

As Viktor noted: a pcre check_helo_access map is useful.

I have such a map with a few dozen lines of patterns that only ever
match spam sources or are logically bogus (e.g. hostname.local) plus a
handful of exemptions for non-spam sources who are easier to whitelist
than educate. It catches rather less than it did before postscreen but
it's still doing a substantial bit of cheap spam blocking.

> Alternatively, should I not be attempting to do this because
> legitimate server’s sometimes EHLO address literals ?

As long as you have any initial submission segregated to ports 465 or
587, you shouldn't see any port 25 traffic EHLOing with address
literals. It is formally allowable (just as it is formally allowable to
EHLO as 'localhost.localdomain') but no legitimate mail server speaking
to the world at large should ever be doing that.

--
Bill Cole
[hidden email] or [hidden email]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Reply | Threaded
Open this post in threaded view
|

Re: EHLO restrictions and address literals

J Doe
In reply to this post by Viktor Dukhovni

> On Sep 11, 2019, at 5:25 PM, Viktor Dukhovni <[hidden email]> wrote:
>
>> On Sep 11, 2019, at 5:05 PM, J Doe <[hidden email]> wrote:
>>
>> Is there a way to achieve this ?  Alternatively, should I not be attempting to do this because legitimate server’s sometimes EHLO address literals ?
>
> You could try something like:
>
> ...
> warn_if_reject check_helo_access pcre:${config_directory}/helo-access
> ...
>
>    helo-access:
> /^\[/ 454 4.7.1 EHLO domain-literals not accepted here
>
> And see whether that'll work out for you.  This only logs warnings
> when EHLO domain-literals would be rejected, but the message may
> still be rejected by later restrictions.  If you see enough warnings
> for messages that are not in any case rejected, and no false positives,
> you could try removing the 'warn_if_reject', and watch the soft rejects
> for a while.  If that works out, change the '4XX' to '5XX'.
>
> --
> Viktor.

Hi Viktor,

Thanks for your reply.  Ok, I was thinking a regex solution might be possible, but I had not thought of using warn_if_reject to monitor for false positives - thanks!

- J
Reply | Threaded
Open this post in threaded view
|

Re: EHLO restrictions and address literals

J Doe
In reply to this post by Bill Cole-3


> On Sep 11, 2019, at 6:15 PM, Bill Cole <[hidden email]> wrote:
>
> On 11 Sep 2019, at 17:05, J Doe wrote:
>
>> I glanced briefly to see if there were any other ways to restrict this but none seemed evident to me.
>
>> Is there a way to achieve this ?
>
> As Viktor noted: a pcre check_helo_access map is useful.
>
> I have such a map with a few dozen lines of patterns that only ever match spam sources or are logically bogus (e.g. hostname.local) plus a handful of exemptions for non-spam sources who are easier to whitelist than educate. It catches rather less than it did before postscreen but it's still doing a substantial bit of cheap spam blocking.
>
>> Alternatively, should I not be attempting to do this because legitimate server’s sometimes EHLO address literals ?
>
> As long as you have any initial submission segregated to ports 465 or 587, you shouldn't see any port 25 traffic EHLOing with address literals. It is formally allowable (just as it is formally allowable to EHLO as 'localhost.localdomain') but no legitimate mail server speaking to the world at large should ever be doing that.

Hi Bill,

In regards to the map with a few dozen patterns that only ever match spam sources . . . would you be able to share that with me ?

Ok, good - I do separate out e-mail to submission, so I should be ok.

Thanks,

- J