From: Victor Duchovni (no email)
Date: Fri Mar 04 2005 - 10:55:46 EST
On Thu, Mar 03, 2005 at 09:18:06PM -0600, Kirk Strauser wrote:
> On Thursday 03 March 2005 05:52 pm, Rob Chanter wrote:
>
> > Not bad. One thing did jump out at me. In this example:
> >
> > woozle.honeypot.net OK
> > honeypot.net REJECT You are not me. Shoo!
> > 208.162.254.122 REJECT You are not me. Shoo!
> >
> > you missed the opportunity to explain DUNNO in access maps, and give an
> > example that is an open relay to any host identifying itself as woozle.
>
> My understanding is that the check_helo_access can basically only
> *reject* and not allow (that is, OK would work like DUNNO later).
> Is that incorrect?
The smtpd_helo_restrictions are not final, they are followed by
smtpd_sender_restrictions and smtpd_recipient_restrictions. So
a "check_helo_access ..." used in ***smtpd_helo_restrictions***
can safely return OK (really meaning OK, not DUNNO), but this
only short-circuits the helo checks, and one still relies on
smtpd_recipient_restrictions to avoid open-relay problems.
If an unsafe "check_helo_access" is used too early in the
recipient restrictions, you are toast.
-- Viktor. Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the "Reply-To" header. To unsubscribe from the postfix-users list, visit http://www.postfix.org/lists.html or click the link below: <mailto:?body=unsubscribe%20postfix-users>
|
|
|