From: Rob Chanter (no email)
Date: Sun Mar 06 2005 - 18:47:18 EST
On Thu, Mar 03, 2005 at 09:18:06PM -0600, Kirk Strauser wrote:
> On Thursday 03 March 2005 05:52 pm, Rob Chanter wrote:
>
> > Not bad. One thing did jump out at me. In this example:
> >
> > woozle.honeypot.net OK
> > honeypot.net REJECT You are not me. Shoo!
> > 208.162.254.122 REJECT You are not me. Shoo!
> >
> > you missed the opportunity to explain DUNNO in access maps, and give an
> > example that is an open relay to any host identifying itself as woozle.
>
> My understanding is that the check_helo_access can basically only *reject* and
> not allow (that is, OK would work like DUNNO later). Is that incorrect?
That's only true to the extent that sender and recipient checks are
still performed after HELO checks. So, even with delay_reject set to
yes, conceptually smtpd_helo_restrictions control the response to HELO.
Basically, OK says "I'm done with this restriction"; DUNNO says "I'm
done with this map, on to the next rule in the restriction list". It's a
little more subtle than that: man 5 access for more info. But your
example says "anyone HELOing with that name has cleared the HELO checks
completely". And anyone can configure their spamware to HELO with
whatever they want. That's probably safe for the common ways of doing
separate smtpd_{helo,sender,recipient}_restrictions, but won't be when
people bundle everything into recipient restrictions (as I do).
cheers
rob
|
|
|