Avoid rejecting users authenticating on port 587

From The Network People, Inc. - Wiki
Jump to navigation Jump to search

Background

I want to deny access to MTAs who HELO/EHLO without presenting a FQDN.

Solution

Put 

!\.

in /var/qmail/control/badhelo. This will reject HELOs without a dot. A bit crude perhaps, but a FQDN usually involves a dot somewhere.

Note: Blocking based on HELO is a violation of the SMTP RFC's. Possibly a good one, but if it causes the loss of any valid emails, it's bad. Perhaps if you want to reject based on HELO, a better way is to simply raise the score on the HELO_* tests in SpamAssassin.


Problem

Authenticated users on port 587 are rejected since their HELOs rarely contains an FQDN. Apparently, Outlook clients presents Windows' friendly computer name, or some variant of it, as its HELO string when submitting mail. Apparently, badhelo is checked regardless of client status.

Half-assed Solution to the Problem

Set NOBADHELO="" in tcp.smtp for the IPs involved. Difficult to do since the users on this particular toaster submits from all kinds of WLANs, client gateways, home DSL, cable and EDGE/GPRS IPs throughout the day.

Better solution

Generate a separate tcprules cdb for submit. Create the file /usr/local/vpopmail/etc/tcp.submit and put the following in it: 

# tcpserver submit (port 587) tcp rules
# RELAYCLIENT="" means IP can relay
# RBLSMTPD=""    means DNSBLs are ignored for this IP
# QMAILQUEUE=""  is the qmail queue process, defaults to /var/qmail/bin/qmail-queue
# NOBADHELO=""   means badhelo checks are ignored for this IP
#
# No whitelisting on port 587. All clients must AUTH.  
### BEGIN QMAIL SCANNER VIRUS ENTRIES ###
### END QMAIL SCANNER VIRUS ENTRIES ###
#
# Don't do badhelo or DNSBL tests
# Use simscan mail queue on everything
:allow,NOBADHELO="",RBLSMTPD="",QMAILQUEUE="/var/qmail/bin/simscan"

Save it and run the commands 

# /usr/local/bin/tcprules ~vpopmail/etc/tcp.submit.cdb ~vpopmail/etc/tcp.submit.tmp < ~vpopmail/etc/tcp.submit
# chmod 644 /etc/tcp.smtp*

Finally, edit /usr/local/etc/toaster-watcher.conf 

submit_relay_database = vpopmail_home_dir/etc/tcp.submit.cdb

Now everyone successfully authenticating on port 587 will be exempt from DNSBL and badhelo checks.

Retrieved from "https://www.tnpi.net/w/index.php?title=Avoid_rejecting_users_authenticating_on_port_587&oldid=2133"