search for: smtpd_helo_restrict

Hi, I'm running our local school's mail server on CentOS 7, Postfix and Dovecot. We get quite a lot of spam, so I have the following sender restrictions in my /etc/postfix/main.cf: --8<------------------------------------------------------ # Restrictions SMTP smtpd_helo_restrictions = reject_unknown_helo_hostname smtpd_sender_restrictions = reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/sender_access smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client dbl.s...

...tfix/check_client_access-allow.cidr, reject_unknown_hostname, reject_non_fqdn_hostname, reject_invalid_hostname, reject_unknown_reverse_client_hostname, check_client_access cidr:/etc/postfix/check_client_access-reject.cidr, reject_unauth_pipelining smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_unauth_destination, check_helo_access pcre:/etc/postfix/check_helo_access-hostname-checks.pcre, check_helo_access hash:/etc/postfix/check_helo_access-allow.map, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_unknown_he...

Hello to all members. I am using Dovecot for 5 years, but this is my first post here. I am aware of the various autoresponder scripts for vacation autoreplies (I am using Virtual Vacation 3.1 by Mischa Peters). I have an issue with auto-replies - it is vulnerable to spamming with forged email address. Forging can be prevented with several Postfix settings, which I did in the past - but was forced

...these : https://www.linuxbabe.com/mail-server/block-email-spam-postfix https://wiki.centos.org/HowTos/postfix_restrictions After some experimenting, here's what I currently have on my test server: --8<----- /etc/postfix/main.cf ----------------------------- ... smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/etc/postfix/helo_access reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname, reject_unknown_helo_hostname smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, check_sender_acce...

...y spamassassin as spam. 1. Not sure if this setup is perfect, but it is working quite well. Yes, the mail takes a few seconds longer and there is probably more I could do, but this ROCKS!!! smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_client_restrictions = permit_mynetworks,permit smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_recipient_restrictions = reject_non_fqdn_reci...

...own_local_recipient_reject_code = 550 mynetworks = 192.168.230.0/24, 127.0.0.0/8 relay_domains = virtual_alias_domains = hash:/etc/postfix/virtual_alias_domains virtual_alias_maps = hash:/etc/postfix/virtual_alias_maps smtpd_helo_required = yes smtpd_delay_reject = yes strict_rfc821_envelopes = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_map smtpd_client_restrictions = check_client_access hash:/etc/postfix/access smtpd_recipient_restrictions = reject_unauth_pipel...

...as Nagel > Verzonden: donderdag 7 januari 2016 14:18 > Aan: Postfix users > Onderwerp: Helo Checks not always working? > > Hello, > > we encountered a strange behaviour. > > We enabled smtp_helo_restrictions: > > smtpd_helo_required = yes > > smtpd_helo_restrictions = >    permit_mynetworks, >    permit_sasl_authenticated, >    reject_unlisted_recipient, > # check_client_access hash:/etc/postfix/ >    check_helo_access hash:/etc/postfix/check_helo_access >    reject_invalid_helo_hostname >    reject_non_fqdn_helo_hostname >...

One of my accounts was having login failures when trying to send mail, but was able to check mail. I tried everything I could think of to see what the issue might be, but eventually went in and reset the password in the sql database (I knew the password, so I reset it to the same password). {SHA256-CRYPT}$5$VuS? {SHA256-CRYPT}$5$VI7? So the password was updated properly. Clients can still

...-o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes 127.0.0.1:10025 inet n - - - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o receive_override_options=no_unknown_recipient_checks,no_header_body_checks -o smtpd_bind_address=12...

...ocal/etc/postfix/mysql-virtual-mailbox-maps.cf sample_directory = /usr/local/etc/postfix sendmail_path = /usr/local/sbin/sendmail setgid_group = maildrop shlib_directory = /usr/local/lib/postfix smtp_tls_note_starttls_offer = yes smtp_use_tls = yes smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_invalid_hostname, reject_unknown_hostname, reject_non_fqdn_hostname, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_hostname,...

...ss.cf, reject_unknown_client, reject_unknown_client_hostname, reject_unauth_pipelining, reject_rbl_client bl.spamcop.net, reject_rbl_client zen.spamhaus.org, reject_rbl_client b.barracudacentral.org smtpd_end_of_data_restrictions = check_policy_service inet:127.0.0.1:10031 smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, reject_invalid_hostname smtpd_recipient_restrictions = reject_unknown_sender_domain, reject_unknown_recipient_domain, reject_non_fqdn_sender, reject_non_fqdn_recipient, reject_unlisted_r...

...ost.localdomain, localhost myhostname = localhost mynetworks = 127.0.0.0/8 myorigin = /etc/mailname recipient_delimiter = + smtp_tls_note_starttls_offer = yes smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache smtp_use_tls = yes smtpd_banner = Mail ESMTP smtpd_helo_required = no smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname, permit smtpd_recipient_restrictions = reject_unauth_pipelining, permit_sasl_authenticated, permit_mynetworks, reject_non_fqdn_recipient, reject_unknown_recipient_domain, reject_unauth_destination smtpd_sasl_auth_enable = yes smt...

...= /usr/share/doc/postfix recipient_delimiter = + relayhost = sample_directory = /usr/share/doc/postfix/examples sendmail_path = /usr/sbin/sendmail setgid_group = _postdrop smtpd_client_restrictions = permit_mynetworks permit_sasl_authenticated reject smtpd_enforce_tls = no smtpd_helo_required = yes smtpd_helo_restrictions = reject_invalid_helo_hostname reject_non_fqdn_helo_hostname smtpd_pw_server_security_options = plain, login cram-md5 smtpd_recipient_restrictions = permit_sasl_authenticated permit_mynetworks reject_unauth_destination check_policy_service unix:private/policy reject smtpd_sasl_auth_enable = yes...

...seems it is being rejected due to the helo domain name - which does not have a correct rdns. My problem is that I do not specify the helo check?? this is the relevant portion of main.cf <snip> smtpd_helo_required = yes smtpd_delay_reject = yes #added 20090410 strict_rfc821_envelopes = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_sender_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_sender, reject_unknown_client, reject_unauthenticated_sender_login_mismatch, perm...

...ut it has greatly reduced sasl attacks and spam. I found most of it here: https://scottlinux.com/2011/05/26/prevent-postfix-brute-force/ I added the fail2ban rule and modified my postfix main.cf as follows: smtpd_client_connection_rate_limit = 3 smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit smtpd_recipient_restrictions = reject_unauth_pipelining, rej...

...te/auth -o smtpd_milters= -o milter_connect_macros= -o milter_macro_daemon_name=ORIGINATING -o syslog_name=postfix/submit -o smtpd_client_restrictions=permit_sasl_authenticated,reject -o smtpd_data_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_helo_restrictions= -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject

..._data_done_timeout=1200 -o smtp_send_xforward_command=yes -o disable_dns_lookups=yes 127.0.0.1:10025 inet n - n - - smtpd -o content_filter= -o local_recipient_maps= -o relay_recipient_maps= -o smtpd_restriction_classes= -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions=permit_mynetworks,reject -o mynetworks=127.0.0.0/8 -o strict_rfc821_envelopes=yes -o smtpd_error_sleep_time=0 -o smtpd_soft_error_limit=1001 -o smtpd_hard_error_limit=1000 -o smtpd_client_connection_c...

...rward_command=yes > -o disable_dns_lookups=yes > > 127.0.0.1:10025 inet n - n - - smtpd > -o content_filter= > -o local_recipient_maps= > -o relay_recipient_maps= > -o smtpd_restriction_classes= > -o smtpd_client_restrictions= > -o smtpd_helo_restrictions= > -o smtpd_sender_restrictions= > -o smtpd_recipient_restrictions=permit_mynetworks,reject > -o mynetworks= 127.0.0.0/8 > -o strict_rfc821_envelopes=yes > -o smtpd_error_sleep_time=0 > -o smtpd_soft_error_limit=1001 > -o smtpd_hard_error_limit=1...

Package: logcheck-database Version: 1.2.44 Severity: wishlist -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 When using postfix smtpd_helo_restrictions / check_helo_access, the lines attched in 'postfix-helo.log' appear. The following rule can be used to filter them out: ^\w{3} [ :0-9]{11} [._[:alnum:]-]+ postfix/smtpd\[[0-9]+\]: NOQUEUE: reject: HELO from [^[:space:]]+: 553 <[^[:space:]]+>: Helo command rejected: .*; proto=E?S...

...the mode ? Or is it too permissive ? For completeness the postfix setup is here : smtpd_sasl_auth_enable = yes broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = private/auth smtpd_sasl_security_options = noanonymous # smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, permit # smtpd_sender_restrictions = permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit # smtpd_recipient_restrictions = reject_unauth_pipelining,...