Nigel Metheringham edited this page Nov 29, 2012 · 2 revisions

Q0735

Question

How can I block non-FQDNs in HELO/EHLOs?

Answer

Many workstation clients send single-component names; take care that you do not block legitimate mail. With that proviso, you can do it using something like this in an ACL:

drop  message = HELO doesn't look like a hostname
   log_message = Not a hostname
   condition = ${if match{$sender_helo_name} \
\N^[^.].*\.[^.]+$\N}{no}{yes}}

This means: Drop the HELO unless it contains a dot somewhere in the HELO string, but the string may not begin or end with a dot. Thus, the imposed minimum length is 3 characters. The data for HELO/EHLO doesn't have to be a host name; it may legitimately be an IP address literal instead. The above test succeeds with an IPv4 address literal, but if you want also to accept IPv6 address literals, you will have to modify the regular expression.


Clone this wiki locally
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.