1

Topic: Suggestion for /etc/postfix/helo_access.pcre

Having moved about a thousand users to a new iRedMail server (using iRedAdmin-Pro), I am generally very happy, and the admin users are also quite happy with their new control panel. I may provide more specific details in that vein in the future if/when I have the time.

However, the move has not been without issues, as it has helped reveal other mail servers with bad configurations, all of them Microsoft Exchange mail servers, some of them even run by banks! This is specifically with reference to mail servers with a HELO identifying them as somedomain.local. Those who have fixed their servers now get email through without problems.

In the meantime, I do have one suggestion for improvement. I did not like the default "Go away, bad guy" feedback. It seems unprofessional to me, and in the cases described above the senders were not "bad guys", they just had "stupid guys" configuring their mail servers. Additionally, the feedback simply didn't provide any useful information, either to the sender of the bounced email or that sender's postmaster.

For that reason I modified my "helo_access.pcre" file to look like the one below. Zhang, feel free to use this (if you wish) in future releases.


Craig


#---------------------------------------------------------------------
# This file is part of iRedMail, which is an open source mail server
# solution for Red Hat(R) Enterprise Linux, CentOS, Debian and Ubuntu.
#
# iRedMail is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# iRedMail is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with iRedMail.  If not, see <http://www.gnu.org/licenses/>.
#---------------------------------------------------------------------

#
# Sample Postfix check_helo_access rule. It should be localted at:
#   /etc/postfix/check_helo_access.pcre
#
# Shipped within iRedMail project:
#   * http://www.iredmail.org/
#
# Thanks all contributer(s):
#   * muniao <at> gamil.
#

# Prepend HELO hostname of sender server
#/(.*)/ PREPEND X-Original-Helo: $1 (iRedMail: http://www.iredmail.org/)

#*******************************************
# IP address: (([0-9]){3}-){2}
#*******************************************

# No one will use these in helo command.
/^localhost$/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly. (localhost)
/^localhost.localdomain$/    REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly. (localhost.localdomain)

# Reject who use IP address as helo.
# Correct:        [xxx.xxx.xxx.xxx]
# Incorrect:    xxx.xxx.xxx.xxx
/^[0-9.]+$/        REJECT ACCESS DENIED. Your email was rejected because the sending mail server is not configured properly. (not RFC compliant)

#
# This is the real HELO identify of these ISPs:
#   sohu.com    websmtp.sohu.com relay2nd.mail.sohu.com
#   126.com     m15-78.126.com
#   163.com     m31-189.vip.163.com m13-49.163.com
#   sina.com    mail2-209.sinamail.sina.com.cn
#   gmail.com   xx-out-NNNN.google.com
#
/^126\.com$/        REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server. (126.com)
/^163\.com$/        REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server. (163.com)
/^163\.net$/        REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server. (163.net)
/^sohu\.com$/        REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server. (sohu.com)
/gmail\.com$/        REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server. (gmail.com)
/^google\.com$/        REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server. (google.com)
/^yahoo\.com\.cn$/    REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server. (yahoo.com.cn)
/^yahoo\.co\.jp$/    REJECT ACCESS DENIED. Your email was rejected because the sending mail server seems to be impersonating another mail server. (yahoo.co.jp)

#
# Spammers.
#
/^728154EA470B4AA\.com$/        REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (728154EA470B4AA.com)
/^taj-co\.com$/                    REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (taj-co.com)
/^CF8D3DB045C1455\.net$/        REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (CF8D3DB045C1455.net)
/^dsgsfdg\.com$/                REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (dsgsfdg.com)
/^se\.nit7-ngbo\.com$/            REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (se.nit7-ngbo.com)
/^mail\.goo\.ne\.jp$/            REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (mail.goo.ne.jp)
/^n-ong_an\.com$/                REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (n-ong_an.com)
/^e5\.il\.n5tt\.zj\.cn$/        REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (e5.il.n5tt.zj.cn)
/^meqail\.teamefs-ine5tl\.com$/    REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (meqail.teamefs-ine5tl.com)
/^zzg\.jhf-sp\.com$/            REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (zzg.jhf-sp.com)
/^din_glo-ng\.net$/                REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (din_glo-ng.net)
/^fda-cnc\.ie\.com$/            REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (fda-cnc.ie.com)
/^yrtaj-yrco\.com$/                REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (yrtaj-yrco.com)
/^m\.am\.biz\.cn$/                REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (m.am.biz.cn)
/^xr_haig\.roup\.com$/            REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (xr_haig.roup.com)
/^hjn\.cn$/                        REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (hjn.cn)
/^we_blf\.com\.cn$/                REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (we_blf.com.cn)
/^netvigator\.com$/                REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (netvigator.com)
/^mysam\.biz$/                    REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (mysam.biz)
/^mail\.teams-intl\.com$/        REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (mail.teams-intl.com)
/^seningbo\.com$/                REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (seningbo.com)
/^nblf\.com\.cn$/                REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (nblf.com.cn)
/^kdn\.ktguide\.com$/            REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (kdn.ktguide.com)
/^zzsp\.com$/                    REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (zzsp.com)
/^nblongan\.com$/                REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (nblongan.com)
/^dpu\.cn$/                        REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (dpu.cn)
/^mail\.nbptt\.zj\.cn$/            REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (mail.nbptt.zj.cn)
/^nbalton\.com$/                REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (nbalton.com)
/^cncie\.com$/                    REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (cncie.com)
/^xinhaigroup\.com$/            REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (xinhaigroup.com)
/^wz\.com$/                        REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (wz.com)
/\.zj.cn$/                        REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (.zj.cn)
/\.kornet$/                        REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (.kornet)
/\.zj.cn$/                        REJECT ACCESS DENIED. Your email was rejected because it appears to come from a known spamming mail server. (.zj.cn)

/^dsldevice\.lan$/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly. (dsldevice.lan)
/^system.mail$/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly. (system.mail)
/^speedtouch\.lan$/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly. (speedtouch.lan)
/^dsldevice\.lan$/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly. (dsldevice.lan)
/\.local$/                        REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly. (.local)

#
# Reject ADSL spammers.
#
/adsl/                                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (adsl)
/dynamic/                            REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (dynamic)
/\d{1,3}-\d{1,3}-\d{1,3}-\d{1,3}/    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (dynamic)
/pppoe/                                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (pppoe)
/dsl\.brasiltelecom\.net\.br/        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (dsl.optinet.hr)
/dsl\.optinet\.hr/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (dsl.telesp.net.br)
/dsl\.telesp\.net\.br/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (dialog)
/dialup/                            REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (dialup)
/dhcp/                                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (dhcp)
/dhcp\.stls\.mo\.charter\.com/        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (dhcp.stls.mo.charter.com)
/pool-/                                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (pool-)
/^cpe-/                                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (cpe-)
/\.cpe\./                            REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (.cpe.)

/speedy\.com\.ar$/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (speedy.com.ar)
/speedyterra\.com\.br$/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (speedyterra.com.br)
/static\.sbb\.rs$/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (static.sbb.rs)
/static\.vsnl\.net\.in$/            REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery. (static.vsnl.net.in)

/advance\.com\.ar/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/airtelbroadband\.in/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/bb\.netvision\.net\.il/            REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/bezeqint\.net/                        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/broadband3\.iol\.cz/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/cable\.net\.co/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/catv\.broadband\.hu/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/chello\.nl/                        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/chello\.sk/                        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/client\.mchsi\.com/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/cncdnh\.east\.verizon\.net/        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/comunitel\.net/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/coprosys\.cz/                        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/dclient\.hispeed\.ch/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/dfw\.dsl-w\.verizon\.net/            REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/dip0\.t-ipconnect\.de/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/dyn\.centurytel\.net/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/embarqhsd\.net/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/emcali\.net\.co/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/epm\.net\.co/                        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/eutelia\.it/                        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/fastwebnet\.it/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/fibertel\.com\.ar/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/freedom2surf\.net$/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/hgcbroadband\.com$/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/HINET-IP\.hinet\.net$/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/infonet\.by$/                        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/is74\.ru$/                            REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/kievnet\.com\.ua$/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/metrotel\.net\.co$/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/nw\.nuvox\.net$/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/pitbpa\.fios\.verizon\.net$/        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/pldt\.net$/                        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/pool\.invitel\.hu$/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/pool\.ukrtel\.net$/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/pools\.arcor-ip\.net$/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/pppoe\.avangarddsl\.ru$/            REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/retail\.telecomitalia\.it$/        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/revip2\.asianet\.co\.th$/            REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/tim\.ro$/                            REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/tsi\.tychy\.pl/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/ttnet\.net\.tr/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/tttmaxnet\.com/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/user\.veloxzone\.com\.br/            REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/utk\.ru$/                            REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/veloxzone\.com\.br$/                REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/verizon\.net$/                        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/virtua\.com\.br$/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/wanamaroc\.com$/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/wbt\.ru$/                            REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/wireless\.iaw\.on\.ca$/            REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/zj\.cn$/                            REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/business\.telecomitalia\.it$/        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/cotas\.com\.bo$/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/marunouchi\.tokyo\.ocn\.ne\.jp$/    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/amedex\.com$/                        REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.
/aageneva\.com$/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery.

/domain\.invalid/                    REJECT ACCESS DENIED. Your email was rejected because the sending mail server does not identify itself correctly. (domain.invalid)

2

Re: Suggestion for /etc/postfix/helo_access.pcre

Obviously, yours is better. I merged yours:
https://bitbucket.org/zhb/iredmail/comm … c7630782eb

Thanks very much for your contribution. smile

3

Re: Suggestion for /etc/postfix/helo_access.pcre

You're welcome.