better blocking at MTA level (off-topic)
Hugo van der Kooij
hvdkooij at vanderkooij.org
Sat May 26 11:24:37 IST 2007
On Sat, 26 May 2007, Dhawal Doshy wrote:
> Koopmann, Jan-Peter wrote:
>> On Saturday, May 26, 2007 10:40 AM Hugo van der Kooij wrote:
>> > reject_invalid_hostname,
>> > reject_non_fqdn_hostname,
>> > reject_unknown_hostname
>> > reject_non_fqdn_sender,
>> > reject_unknown_sender_domain
>> > reject_non_fqdn_recipient,
>> > reject_unknown_recipient_domain,
>> > reject_unauth_destination
>> > check_policy_service unix:/var/spool/postfix/postgrey/socket
>>
>> I wish I could use all of those for strict testing. Unfortunatly too
>> many legit senders of our clients are too stupid to setup their
>> mail-servers correctly.
>
> Run 2 instances of your MTA on different IPs.. one for incoming and the other
> for outgoing.. the incoming can be strictly configured with the above and you
> can be less strict on the outgoing as long as there is smtp-auth
The point is that almost all small fry businesses out there do not have a
clue about how hostname in HELO and the A and PTR records should be
linked.
Their hostname is mail.internal.lan and they will hapily use that for the
HELO message. The PTR record does not exist or is something like
ADSL-80-1-2-3,someisp.tld and their A record is customerid.someisp.tld
That will fail in about half a dozen ways here. I am not loosing any sleep
over that at it is rather unlikly there will be any valid mail in those
but some people have to live with the unlikly sort of customers.
Hugo.
--
hvdkooij at vanderkooij.org http://hugo.vanderkooij.org/
This message is using 100% recycled electrons.
Some men see computers as they are and say "Windows"
I use computers with Linux and say "Why Windows?"
(Thanks JFK, for the insight.)
More information about the MailScanner
mailing list