On Wed, 15 Sep 2004 07:39:31 +0200, Marc Kool
<m(_dot_)kool(_at_)vioro(_dot_)nl> wrote:
I agree that HELO checking can be very useful.
The problem with this and other useful proposals is the fact
that many of today's legitimate mail servers do not comply.
I have experienced this myself a few months ago when I configured
my postfix MTA with a simple check for a valid HELO (the hostname
should be FQDN and have a MX or A record). The number of
badly configured legitimate mail servers was too high and
I reversed the config change.
FWIW, on my mail server I work around this by only checking HELOs that
*look* like they're supposed to be valid. So "bogus-server.biz"
triggers a reject but "BOBSCOMPUTER" (a HELO you might get from MS
Outlook) does not.
It looks like this in my Postfix helo_access.pcre:
/^[a-z0-9\.-]+\.(com|net|org|edu|info|biz|name|mil|gov|int|[a-z]{2})$/
reject_unknown_client, reject_unknown_hostname
I have had one set of false positives -- ebay notifications from
servers that HELO as mx#.smf.ebay.com (where "#" is a number), all of
which fail to resolve.
--
paul bissex, e-scribe.com -- database-driven web development
413.585.8095
69.55.225.29
01061-0847
72°39'71"W 42°19'42"N