4

Postfix has some nice options to restrict client accesses with respect to DNS/IP address setup and helo names (documentation). For example one can instruct postfix to reject clients if

  • the helo argument is a malformed domain
  • the helo argument is not a fully qualified domain name
  • the IP address has no reverse domain lookup entry
  • the domain from the reverse lookup does not point to the client's IP address
  • the domain has a MX entry

At least in my observation these measures are quite successful against some amount of spam.

What I am missing is a more strict reject option that works like this:

  • reject if the DNS lookup of the helo argument does not match the client's IP address

AFAICS, there is no explicit option to configure this restriction. But perhaps there are other ways to configure that behavior with postfix?

Anthon
  • 79,293
maxschlepzig
  • 57,532
  • I belive you are right – there is no such restriction. The closest would be reject_unknown_hostname. I'm sure you can achieve checking DNS consistency with policy service. – Scyld de Fraud Sep 27 '14 at 15:08
  • @ScylddeFraud, you are referring to http://www.postfix.org/SMTPD_POLICY_README.html ? Sounds like the way to go. If you post your comment as answer I'll accept it. – maxschlepzig Sep 27 '14 at 18:04
  • Did you end up implementing this somehow? – Greendrake Dec 23 '19 at 23:17
  • @Greendrake no, I didn't pursue this idea. I'm still using many smtpd restrictions such as reject_unknown_client_hostname, reject_unknown_helo_hostname, reject_non_fqdn_helo_hostname and others. This is still very effective against spammers. So much so I don't need a more strict reject option, really. – maxschlepzig Dec 27 '19 at 19:36

2 Answers2

2

I belive you are right – there is no such restriction. The closest would be reject_unknown_hostname. I'm sure you can achieve checking DNS consistency with policy services → http://www.postfix.org/SMTPD_POLICY_README.html.

Scyld de Fraud
  • 2,692
1

I searched (the whole :) internet for the same question and ended up in this thread. I was already about to write my own policy server when I noticed that there exists a great one called policyd-weight.

You should take a look at it because it implements even more than HELO-checking. For example DNSBLs with Scoring.

Biggie
  • 243