Slightly OT: Postfix smtpd restrictions

[Jethro R Binks]

On Fri, 25 Jun 2010, Drew Marshall wrote:

> For example, BT won't let anyone change their PTR, so EHLO/ HELO is
> always going to be a mismatch for these.

So fix the problem the other way around: change the HELO name to use the 
PTR name.  Might be trickier if the sending IP is dynamic and so the PTR 
is different.  Might also be trickier in a natted environment where 
internal sending box doesn't know the external PTR.  But in either case 
you should probably use the ISP mail relay because you probably aren't 
paying for a suitable business-class service to run a mail server from.

> Most people running Exchange 'naked' to the Internet end up having a 
> EHLO as <name>.local or some such other non existent TLD so that ends up 
> not matching either and so it goes on.

That's purely a configuration issue of the send connector, for the last 
few versions of Exchange I think.  Fixable.

> As ever YMMV but for me, I found other ways to combat spam coming from 
> these sorts of connections such as RBLs etc.

That's true enough; rejecting on mismatch between HELO and PTR can be a 
dangerous business (you might be better off using a mismatch as a scoring 
criteria for SpamAssassin).  However, many of those mismatches are 
trivially fixable by the sending sites, should they be encouraged to do so 
to better guarantee the chances of their mail getting through, and so 
ultimately increase the value of checks for HELO matching PTR.

That's not to say that some spambots don't make efforts to make their HELO 
names match the PTRs of their IP; but while checks on mismatch are 
perceived to be worthless because of the above perceived problems, there 
isn't much incentive for spambots to be much cleverer.  That will change, 
as more receiving servers demand more strictness of their sending peer.

Jethro.

.  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .  .
Jethro R Binks
Computing Officer, IT Services, University Of Strathclyde, Glasgow, UK