samba - Apr 2019 - How "safe" is reject_unknown_helo_hostname?

Helo hostname MUST have resolvable hostname. 
Crazy or not, but i use this. 

The _access-allow parts for server you really trust. 

smtpd_client_restrictions     permit_mynetworks,
    reject_unauth_destination,
    check_client_access cidr:/etc/postfix/check_client_access-allow.cidr,
    reject_unknown_hostname,
    reject_non_fqdn_hostname,
    reject_invalid_hostname,
    reject_unknown_reverse_client_hostname,
    check_client_access cidr:/etc/postfix/check_client_access-reject.cidr,
    reject_unauth_pipelining

smtpd_helo_required = yes
smtpd_helo_restrictions     permit_mynetworks,
    reject_unauth_destination,
    check_helo_access pcre:/etc/postfix/check_helo_access-hostname-checks.pcre,
    check_helo_access hash:/etc/postfix/check_helo_access-allow.map,
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    reject_unknown_helo_hostname,
    reject_unauth_pipelining

Resulting in more happy customers since after my adviced changes to there
servers, they now also have less spam..


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: phils at caerllewys.net 
> [mailto:owner-postfix-users at postfix.org] Namens Phil Stracchino
> Verzonden: vrijdag 26 april 2019 15:47
> Aan: postfix-users at postfix.org
> Onderwerp: Re: How "safe" is reject_unknown_helo_hostname?
> 
> On 4/25/19 7:56 PM, Allen Coates wrote:
> > I have been looking at the configuration parameter
> > "reject_unknown_helo_hostname", with a view to using it to 
> resist spam.
> > 
> > I know it is reasonably safe to reject an incoming email on 
> an invalid or
> > non-fqdn HELO hostname, but *UNKNOWN?*
> > 
> > I don't receive a sufficient corpus of email to make a 
> reasoned judgment.
> > 
> > Your comments would be appreciated.
> 
> 
> I don't see a fundamental risk in rejecting mail from servers 
> claiming a
> HELO hostname that doesn't resolve.  If you're already going to
reject
> HELO from non-fqdn or invalid hostnames, why accept it from ones that
> don't resolve at all?
> 
> 
> -- 
>   Phil Stracchino
>   Babylon Communications
>   phils at caerllewys.net
>   phil at co.ordinate.org
>   Landline: +1.603.293.8485
>   Mobile:   +1.603.998.6958
> 
>

On Fri, 26 Apr 2019 16:33:28 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Helo hostname MUST have resolvable hostname. 
> Crazy or not, but i use this. 
> 
The 'crazy' thing is that you have posted to the wrong list, have you
started celebrating early LOL

Rowland

Oeps. 
Well it happens more often.. Well at least last time was some time ago..  :-) 
And no not on beer yet.. Drive car first home then drink.

Greet, 

Louis
> -----Oorspronkelijk bericht-----
> Van: Jonathon Reinhart [mailto:jonathon.reinhart at gmail.com] 
> Verzonden: vrijdag 26 april 2019 16:42
> Aan: L.P.H. van Belle
> Onderwerp: Re: [Samba] How "safe" is
reject_unknown_helo_hostname?
> 
> Louis,
> 
> FYI: I think you accidentally responded to samba-users and 
> not postfix-users.
> 
> 
> On Fri, Apr 26, 2019 at 10:33 AM L.P.H. van Belle via samba
> <samba at lists.samba.org> wrote:
> >
> >
> >
> > Helo hostname MUST have resolvable hostname.
> > Crazy or not, but i use this.
> >
> > The _access-allow parts for server you really trust.
> >
> > smtpd_client_restrictions > >     permit_mynetworks,
> >     reject_unauth_destination,
> >     check_client_access 
> cidr:/etc/postfix/check_client_access-allow.cidr,
> >     reject_unknown_hostname,
> >     reject_non_fqdn_hostname,
> >     reject_invalid_hostname,
> >     reject_unknown_reverse_client_hostname,
> >     check_client_access 
> cidr:/etc/postfix/check_client_access-reject.cidr,
> >     reject_unauth_pipelining
> >
> > smtpd_helo_required = yes
> > smtpd_helo_restrictions > >     permit_mynetworks,
> >     reject_unauth_destination,
> >     check_helo_access 
> pcre:/etc/postfix/check_helo_access-hostname-checks.pcre,
> >     check_helo_access hash:/etc/postfix/check_helo_access-allow.map,
> >     reject_non_fqdn_helo_hostname,
> >     reject_invalid_helo_hostname,
> >     reject_unknown_helo_hostname,
> >     reject_unauth_pipelining
> >
> > Resulting in more happy customers since after my adviced 
> changes to there servers, they now also have less spam..
> >
> >
> > Greetz,
> >
> > Louis
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: phils at caerllewys.net
> > > [mailto:owner-postfix-users at postfix.org] Namens Phil
Stracchino
> > > Verzonden: vrijdag 26 april 2019 15:47
> > > Aan: postfix-users at postfix.org
> > > Onderwerp: Re: How "safe" is
reject_unknown_helo_hostname?
> > >
> > > On 4/25/19 7:56 PM, Allen Coates wrote:
> > > > I have been looking at the configuration parameter
> > > > "reject_unknown_helo_hostname", with a view to
using it to
> > > resist spam.
> > > >
> > > > I know it is reasonably safe to reject an incoming email on
> > > an invalid or
> > > > non-fqdn HELO hostname, but *UNKNOWN?*
> > > >
> > > > I don't receive a sufficient corpus of email to make a
> > > reasoned judgment.
> > > >
> > > > Your comments would be appreciated.
> > >
> > >
> > > I don't see a fundamental risk in rejecting mail from servers
> > > claiming a
> > > HELO hostname that doesn't resolve.  If you're already 
> going to reject
> > > HELO from non-fqdn or invalid hostnames, why accept it 
> from ones that
> > > don't resolve at all?
> > >
> > >
> > > --
> > >   Phil Stracchino
> > >   Babylon Communications
> > >   phils at caerllewys.net
> > >   phil at co.ordinate.org
> > >   Landline: +1.603.293.8485
> > >   Mobile:   +1.603.998.6958
> > >
> > >
> >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> 
>