[CentOS] Re: postfix tightening

Sun Apr 3 05:50:14 UTC 2005
Craig White <craigwhite at azapple.com>

On Sat, 2005-04-02 at 22:21 -0600, Mark A. Lewis wrote:
> Stumbled across this while researching the points raised in this thread.
> Very good writeup IMO and addresses many of the questions/concerns.
> http://jimsun.LinxNet.com/misc/postfix-anti-UCE.txt 
indeed and as you say...those who reject based upon client HELO/EHLO
address are non-compliant but in reading the perspective on your link,
it states...

 Q2. Regarding your checks "reject_invalid_hostname,"
     "reject_non_fqdn_hostname" and "check_helo_access": Isn't rejecting
     on HELO/EHLO not being a valid and FQDN'd hostname a violation of
     the RFC's?

 A2. Why yes, yes it is.  Doing so is a judgement call.  In *my*
     experience: it stops more spam than it does result in "false
     positives."  And in the few cases where it has resulted in false
     positives, I've found that a friendly dialog with the offending
     mail server's owner got it straightened out.  Your mileage may

     Machines outside "mynetworks" should *never* HELO/EHLO as being in
     our domain.  So even if you want to forego
     "reject_invalid_hostname" and "reject_non_fqdn_hostname," it seems
     to me perfectly reasonable to still do the "check_helo_access"

I see the logic in the 'judgment call'