687
edits
Changes
From SME Server
Jump to navigationJump to searchperldoc output for qpsmtpd helo plugin
<span id="_top"></span>
= [[#___top|NAME]] =
helo - validate the HELO message presented by a connecting host.
= [[#___top|DESCRIPTION]] =
Validate the HELO hostname. This plugin includes a suite of optional tests, selectable by the ''policy'' setting. The policy section details which tests are enforced by each policy option.
It sets the connection notes helo_forward_match and helo_reverse_match when ''policy rfc'' or ''policy strict'' are used.
Adds an X-HELO header with the HELO hostname to the message.
Using ''policy rfc'' will reject a very large portion of the spam from hosts that have yet to get blacklisted.
= [[#___top|WHY IT WORKS]] =
The reverse DNS of the zombie PCs is out of the spam operators control. Their only way to get past these tests is to limit themselves to hosts with matching forward and reverse DNS, and then use the proper HELO hostname when spamming. At present, this presents a very high hurdle.
= [[#___top|HELO VALIDATION TESTS]] =
<dl>
<dt>is_in_badhelo
<dd><p>Matches in the ''badhelo'' config file, including yahoo.com and aol.com, which neither the real Yahoo or the real AOL use, but which spammers use a lot.</p>
<p>Like qmail with the qregex patch, the '''badhelo''' file can also contain perl regular expressions. In addition to normal regexp processing, a pattern can start with a ! character, and get a negated (!~) match.</p>
<dt>invalid_localhost
<dd><p>Assure that if a sender uses the 'localhost' hostname, they are coming from the localhost IP.</p>
<dt>is_plain_ip
<dd><p>Disallow plain IP addresses. They are neither a FQDN nor an address literal.</p>
<dt>is_address_literal [N.N.N.N]
<dd><p>An address literal (an IP enclosed in brackets) is legal but rarely, if ever, encountered from legit senders.</p>
<dt>is_forged_literal
<dd><p>If a literal is presented, make sure it matches the senders IP.</p>
<dt>is_not_fqdn
<dd><p>Makes sure the HELO hostname contains at least one dot and has only those characters specifically allowed in domain names (RFC 1035).</p>
<dt>no_forward_dns
<dd><p>Make sure the HELO hostname resolves.</p>
<dt>no_reverse_dns
<dd><p>Make sure the senders IP address resolves to a hostname.</p>
<dt>no_matching_dns
<dd><p>Make sure the HELO hostname has an A or AAAA record that matches the senders IP address, and make sure that the senders IP has a PTR that resolves to the HELO hostname.</p>
<p>Per RFC 5321 section 4.1.4, it is impermissible to block a message ''soley'' on the basis of the HELO hostname not matching the senders IP.</p>
<p>Since the dawn of SMTP, having matching DNS has been a minimum standard expected and oft required of mail servers. While requiring matching DNS is prudent, requiring an exact match will reject valid email. While testing this plugin with rejection disabled, I noticed that mx0.slc.paypal.com sends email from an IP that reverses to mx1.slc.paypal.com. While that's technically an error, I believe it's an error to reject mail based on it. Especially since SLD and TLD match.</p>
<p>To avoid snagging false positives, matches are extended to the first 3 octets of the IP and the last two labels of the FQDN. The following are considered a match:</p>
<pre> 192.0.1.2, 192.0.1.3
foo.example.com, bar.example.com</pre>
<p>This allows ''no_matching_dns'' to be used without rejecting mail from orgs with pools of servers where the HELO name and IP don't exactly match. This list includes Yahoo, Gmail, PayPal, cheaptickets.com, exchange.microsoft.com, and likely many more.</p></dl>
= [[#___top|CONFIGURATION]] =
== [[#___top|policy [ lenient | rfc | strict ]]] ==
Default: lenient
=== [[#___top|lenient]] ===
Runs the following tests: is_in_badhelo, invalid_localhost, is_forged_literal, and is_plain_ip.
This setting is lenient enough not to cause problems for your Windows users. It is comparable to running check_spamhelo, but with the addition of regexp support, the prevention of forged localhost, forged IP literals, and plain IPs.
=== [[#___top|rfc]] ===
Per RFC 2821, the HELO hostname is the FQDN of the sending server or an address literal. When ''policy rfc'' is selected, all the lenient checks and the following are tested: is_not_fqdn, no_forward_dns, and no_reverse_dns.
If you have Windows users that send mail via your server, do not choose ''policy rfc'' without setting ''reject'' to 0 or naughty. Windows PCs often send unqualified HELO names and will have trouble sending mail. The '''naughty''' plugin defers the rejection, giving the user the opportunity to authenticate and bypass the rejection.
=== [[#___top|strict]] ===
Strict includes all the RFC tests and the following: no_matching_dns, and is_address_literal.
I have yet to see an address literal being used by a hammy sender. But I am not certain that blocking them all is prudent.
It is recommended that ''policy strict'' be used with <reject 0> and that you examine your logs for false positives.
== [[#___top|badhelo]] ==
Add domains, hostnames, or perl regexp patterns to the ''badhelo'' config file; one per line.
== [[#___top|timeout [seconds]]] ==
Default: 5
The number of seconds before DNS queries timeout.
== [[#___top|reject [ 0 | 1 | naughty ]]] ==
Default: 1
0: do not reject
1: reject
naughty: naughty plugin handles rejection
== [[#___top|reject_type [ temp | perm | disconnect ]]] ==
Default: disconnect
What type of rejection should be sent? See docs/config.pod
== [[#___top|loglevel]] ==
Adjust the quantity of logging for this plugin. See docs/logging.pod
= [[#___top|RFC 2821]] =
== [[#___top|4.1.1.1]] ==
The HELO hostname "...contains the fully-qualified domain name of the SMTP client if one is available. In situations in which the SMTP client system does not have a meaningful domain name (e.g., when its address is dynamically allocated and no reverse mapping record is available), the client SHOULD send an address literal (see section 4.1.3), optionally followed by information that will help to identify the client system."
== [[#___top|2.3.5]] ==
The domain name, as described in this document and in [22], is the entire, fully-qualified name (often referred to as an "FQDN"). A domain name that is not in FQDN form is no more than a local alias. Local aliases MUST NOT appear in any SMTP transaction.
= [[#___top|RFC 5321]] =
== [[#___top|4.1.4]] ==
An SMTP server MAY verify that the domain name argument in the EHLO command actually corresponds to the IP address of the client. However, if the verification fails, the server MUST NOT refuse to accept a message on that basis. Information captured in the verification attempt is for logging and tracing purposes. Note that this prohibition applies to the matching of the parameter to its IP address only; see Section 7.9 for a more extensive discussion of rejecting incoming connections or mail messages.
= [[#___top|TODO]] =
is_forged_literal, if the forged IP is an internal IP, it's likely one of our clients that should have authenticated. Perhaps when we check back later in data_post, if they have added relay_client, then give back the karma.
= [[#___top|AUTHOR]] =
2012 - Matt Simerson
= [[#___top|ACKNOWLEDGEMENTS]] =
badhelo processing from check_badhelo plugin
badhelo regex processing idea from qregex patch
additional check ideas from Haraka helo plugin
<!-- Generated Sun Jul 16 09:07:26 EDT 2017 using
perldoc -T -ohtml /usr/share/qpsmtpd/plugins/helo |pandoc -f html -t mediawiki |sed 1 i\\n\n\n<span id="_top"></span> |sed -e s#</d.>##
-->
= [[#___top|NAME]] =
helo - validate the HELO message presented by a connecting host.
= [[#___top|DESCRIPTION]] =
Validate the HELO hostname. This plugin includes a suite of optional tests, selectable by the ''policy'' setting. The policy section details which tests are enforced by each policy option.
It sets the connection notes helo_forward_match and helo_reverse_match when ''policy rfc'' or ''policy strict'' are used.
Adds an X-HELO header with the HELO hostname to the message.
Using ''policy rfc'' will reject a very large portion of the spam from hosts that have yet to get blacklisted.
= [[#___top|WHY IT WORKS]] =
The reverse DNS of the zombie PCs is out of the spam operators control. Their only way to get past these tests is to limit themselves to hosts with matching forward and reverse DNS, and then use the proper HELO hostname when spamming. At present, this presents a very high hurdle.
= [[#___top|HELO VALIDATION TESTS]] =
<dl>
<dt>is_in_badhelo
<dd><p>Matches in the ''badhelo'' config file, including yahoo.com and aol.com, which neither the real Yahoo or the real AOL use, but which spammers use a lot.</p>
<p>Like qmail with the qregex patch, the '''badhelo''' file can also contain perl regular expressions. In addition to normal regexp processing, a pattern can start with a ! character, and get a negated (!~) match.</p>
<dt>invalid_localhost
<dd><p>Assure that if a sender uses the 'localhost' hostname, they are coming from the localhost IP.</p>
<dt>is_plain_ip
<dd><p>Disallow plain IP addresses. They are neither a FQDN nor an address literal.</p>
<dt>is_address_literal [N.N.N.N]
<dd><p>An address literal (an IP enclosed in brackets) is legal but rarely, if ever, encountered from legit senders.</p>
<dt>is_forged_literal
<dd><p>If a literal is presented, make sure it matches the senders IP.</p>
<dt>is_not_fqdn
<dd><p>Makes sure the HELO hostname contains at least one dot and has only those characters specifically allowed in domain names (RFC 1035).</p>
<dt>no_forward_dns
<dd><p>Make sure the HELO hostname resolves.</p>
<dt>no_reverse_dns
<dd><p>Make sure the senders IP address resolves to a hostname.</p>
<dt>no_matching_dns
<dd><p>Make sure the HELO hostname has an A or AAAA record that matches the senders IP address, and make sure that the senders IP has a PTR that resolves to the HELO hostname.</p>
<p>Per RFC 5321 section 4.1.4, it is impermissible to block a message ''soley'' on the basis of the HELO hostname not matching the senders IP.</p>
<p>Since the dawn of SMTP, having matching DNS has been a minimum standard expected and oft required of mail servers. While requiring matching DNS is prudent, requiring an exact match will reject valid email. While testing this plugin with rejection disabled, I noticed that mx0.slc.paypal.com sends email from an IP that reverses to mx1.slc.paypal.com. While that's technically an error, I believe it's an error to reject mail based on it. Especially since SLD and TLD match.</p>
<p>To avoid snagging false positives, matches are extended to the first 3 octets of the IP and the last two labels of the FQDN. The following are considered a match:</p>
<pre> 192.0.1.2, 192.0.1.3
foo.example.com, bar.example.com</pre>
<p>This allows ''no_matching_dns'' to be used without rejecting mail from orgs with pools of servers where the HELO name and IP don't exactly match. This list includes Yahoo, Gmail, PayPal, cheaptickets.com, exchange.microsoft.com, and likely many more.</p></dl>
= [[#___top|CONFIGURATION]] =
== [[#___top|policy [ lenient | rfc | strict ]]] ==
Default: lenient
=== [[#___top|lenient]] ===
Runs the following tests: is_in_badhelo, invalid_localhost, is_forged_literal, and is_plain_ip.
This setting is lenient enough not to cause problems for your Windows users. It is comparable to running check_spamhelo, but with the addition of regexp support, the prevention of forged localhost, forged IP literals, and plain IPs.
=== [[#___top|rfc]] ===
Per RFC 2821, the HELO hostname is the FQDN of the sending server or an address literal. When ''policy rfc'' is selected, all the lenient checks and the following are tested: is_not_fqdn, no_forward_dns, and no_reverse_dns.
If you have Windows users that send mail via your server, do not choose ''policy rfc'' without setting ''reject'' to 0 or naughty. Windows PCs often send unqualified HELO names and will have trouble sending mail. The '''naughty''' plugin defers the rejection, giving the user the opportunity to authenticate and bypass the rejection.
=== [[#___top|strict]] ===
Strict includes all the RFC tests and the following: no_matching_dns, and is_address_literal.
I have yet to see an address literal being used by a hammy sender. But I am not certain that blocking them all is prudent.
It is recommended that ''policy strict'' be used with <reject 0> and that you examine your logs for false positives.
== [[#___top|badhelo]] ==
Add domains, hostnames, or perl regexp patterns to the ''badhelo'' config file; one per line.
== [[#___top|timeout [seconds]]] ==
Default: 5
The number of seconds before DNS queries timeout.
== [[#___top|reject [ 0 | 1 | naughty ]]] ==
Default: 1
0: do not reject
1: reject
naughty: naughty plugin handles rejection
== [[#___top|reject_type [ temp | perm | disconnect ]]] ==
Default: disconnect
What type of rejection should be sent? See docs/config.pod
== [[#___top|loglevel]] ==
Adjust the quantity of logging for this plugin. See docs/logging.pod
= [[#___top|RFC 2821]] =
== [[#___top|4.1.1.1]] ==
The HELO hostname "...contains the fully-qualified domain name of the SMTP client if one is available. In situations in which the SMTP client system does not have a meaningful domain name (e.g., when its address is dynamically allocated and no reverse mapping record is available), the client SHOULD send an address literal (see section 4.1.3), optionally followed by information that will help to identify the client system."
== [[#___top|2.3.5]] ==
The domain name, as described in this document and in [22], is the entire, fully-qualified name (often referred to as an "FQDN"). A domain name that is not in FQDN form is no more than a local alias. Local aliases MUST NOT appear in any SMTP transaction.
= [[#___top|RFC 5321]] =
== [[#___top|4.1.4]] ==
An SMTP server MAY verify that the domain name argument in the EHLO command actually corresponds to the IP address of the client. However, if the verification fails, the server MUST NOT refuse to accept a message on that basis. Information captured in the verification attempt is for logging and tracing purposes. Note that this prohibition applies to the matching of the parameter to its IP address only; see Section 7.9 for a more extensive discussion of rejecting incoming connections or mail messages.
= [[#___top|TODO]] =
is_forged_literal, if the forged IP is an internal IP, it's likely one of our clients that should have authenticated. Perhaps when we check back later in data_post, if they have added relay_client, then give back the karma.
= [[#___top|AUTHOR]] =
2012 - Matt Simerson
= [[#___top|ACKNOWLEDGEMENTS]] =
badhelo processing from check_badhelo plugin
badhelo regex processing idea from qregex patch
additional check ideas from Haraka helo plugin
<!-- Generated Sun Jul 16 09:07:26 EDT 2017 using
perldoc -T -ohtml /usr/share/qpsmtpd/plugins/helo |pandoc -f html -t mediawiki |sed 1 i\\n\n\n<span id="_top"></span> |sed -e s#</d.>##
-->
