In the real world: how many legitimate mail is blocked under these client and/or help restrictions?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

In the real world: how many legitimate mail is blocked under these client and/or help restrictions?

Gerben Wierda
I was wondering, how many legitimate email (i.e. poorly configured but legit MTA’s out there) would be blocked with either of these?

unknown_client_reject_code = 550 # Hmm, should this be another value in the 5xx range?
smtpd_recipient_restrictions =
        …,
        reject_unknown_client_hostname
        ...


unknown_hostname_reject_code = 550 # Hmm, should this be another value in the 5xx range?
smtpd_helo_restrictions =
        …,
        reject_unknown_helo_hostname,
        …

I personally suspect that the reject_unknown_client_hostname would block too much, but the reject_unknown_helo_hostname would be ok. Am I right?

I’d like to turn this on against spam, but I don’t want to lose legit mail.

G
Reply | Threaded
Open this post in threaded view
|

Re: In the real world: how many legitimate mail is blocked under these client and/or help restrictions?

Noel Jones-2
On 11/22/2016 4:02 AM, Gerben Wierda wrote:

> I was wondering, how many legitimate email (i.e. poorly configured but legit MTA’s out there) would be blocked with either of these?
>
> unknown_client_reject_code = 550 # Hmm, should this be another value in the 5xx range?
> smtpd_recipient_restrictions =
> …,
> reject_unknown_client_hostname
> ...
>
>
> unknown_hostname_reject_code = 550 # Hmm, should this be another value in the 5xx range?
> smtpd_helo_restrictions =
> …,
> reject_unknown_helo_hostname,
> …
>
> I personally suspect that the reject_unknown_client_hostname would block too much, but the reject_unknown_helo_hostname would be ok. Am I right?
>
> I’d like to turn this on against spam, but I don’t want to lose legit mail.
>
> G
>

Both these restrictions are known to reject legit mail and should be
used with caution.  "How much mail" is very subjective.

For me, it's not worth the seemingly never ending stream of large
and small companies, the occasional tech company, and government
agencies that needed to be whitelisted.  And virtually all of the
mail that would be caught by these rules is rejected by RBLs anyway.

That's my experience. Of course, YMMV.

If you want to safely test these rules on your mail, put them at the
end of your restrictions with "warn if reject" to see how they
perform for you.  No mail will be rejected, but a warning: will be
put in your log.


  -- Noel Jones
Reply | Threaded
Open this post in threaded view
|

Re: In the real world: how many legitimate mail is blocked under these client and/or help restrictions?

@lbutlr
In reply to this post by Gerben Wierda

> On Nov 22, 2016, at 3:02 AM, Gerben Wierda <[hidden email]> wrote:
>
> I was wondering, how many legitimate email (i.e. poorly configured but legit MTA’s out there) would be blocked with either of these?
>
> unknown_client_reject_code = 550 # Hmm, should this be another value in the 5xx range?
> smtpd_recipient_restrictions =
> …,
> reject_unknown_client_hostname

I tried

 warn_if_reject reject_unknown_client_hostname,

for a while and found far too much legitimate mail was triggering the warning.

> I personally suspect that the reject_unknown_client_hostname would block too much, but the reject_unknown_helo_hostname would be ok. Am I right?

No. Try something like this:

grep helo /var/log/maillog | egrep -v reject | grep -o "helo.*$" | sort -u