AMaViS - A Mail Virus Scanner

On 3/2/11 7:45 AM, Patrick Ben Koetter wrote:
>   makes Postfix reject amavis
> when reject_non_fqdn_helo_hostname is enabled.
>
not if allow mynets is before the tests.



-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________

* Michael Scheidell <michael.scheidell@...>:
> On 3/2/11 7:45 AM, Patrick Ben Koetter wrote:
> >   makes Postfix reject amavis
> > when reject_non_fqdn_helo_hostname is enabled.
> >
> not if allow mynets is before the tests.

Agreed, but why write an exception if you can get it right in the first.

p@...


-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

On Wed, 2 Mar 2011, Patrick Ben Koetter wrote:

> Shouldn't $localhost_name be a (RFC compliant) FQDN hostname like
> 'localhost.localdomain' by default?
>
> Currently it defaults to 'localhost', which IIRC is not a FQDN.

'localhost.' is an FQDN, and one that is actually correct, as opposed to 
the non-standard .localdomain convention that has caused more trouble than 
it has ever solved.  Please don't encourage further confusion. :)

> I'm asking because the non-FQDN $localhost_name makes Postfix reject amavis
> when reject_non_fqdn_helo_hostname is enabled.

What's the use case for running that on a content filter reinjection port?

-Rob

* Rob Foehl <rwf@...>:
> On Wed, 2 Mar 2011, Patrick Ben Koetter wrote:
> 
> > Shouldn't $localhost_name be a (RFC compliant) FQDN hostname like
> > 'localhost.localdomain' by default?
> >
> > Currently it defaults to 'localhost', which IIRC is not a FQDN.
> 
> 'localhost.' is an FQDN, and one that is actually correct, as opposed to 
> the non-standard .localdomain convention that has caused more trouble than 
> it has ever solved.  Please don't encourage further confusion. :)

RFC 2006 <http://tools.ietf.org/rfc/rfc2606.txt> indicates you are right. I
need to do some testing. Maybe I jumped to the wrong conclusion why specifying
"localhost" only causes problems.


> > I'm asking because the non-FQDN $localhost_name makes Postfix reject amavis
> > when reject_non_fqdn_helo_hostname is enabled.
> 
> What's the use case for running that on a content filter reinjection port?

Some simply set it globally and don't disable it or change the policy on
reinjection port.

p@...

-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):
<http://postfix.state-of-mind.de/patrick.koetter/saslfinger/>

On Thu, 3 Mar 2011, Patrick Ben Koetter wrote:

> RFC 2006 <http://tools.ietf.org/rfc/rfc2606.txt> indicates you are right. I
> need to do some testing. Maybe I jumped to the wrong conclusion why specifying
> "localhost" only causes problems.

reject_non_fqdn_helo_hostname will catch a bare 'localhost' since it has 
no '.', but 'localhost.' doesn't work either, since the implementation 
specifically checks for '.' within the string.  So it'll cause problems 
here either way, but...

> Some simply set it globally and don't disable it or change the policy on
> reinjection port.

I'd say that's a mistake, and not one amavisd-new should be trying 
particularly hard to avoid.  On my systems, I reject any HELO coming from 
the outside that looks like localhost, the box's own addresses or domain 
names, the RFC 2606 reserved names, and a handful of common pseudo-TLDs, 
including '.localdomain'.  But it's perfectly fine to use 'localhost' over 
the loopback:

Received: from localhost (localhost [127.0.0.1])
     by jupiter.loonybin.net (Postfix) with ESMTP id 3032BA2813F
     for <rwf@...>; Wed,  2 Mar 2011 18:15:15 -0500 (EST)

-Rob

Rob, Patrick,

> > RFC 2006 <http://tools.ietf.org/rfc/rfc2606.txt> indicates you are right.
> > I need to do some testing. Maybe I jumped to the wrong conclusion why
> > specifying "localhost" only causes problems.
> 
> reject_non_fqdn_helo_hostname will catch a bare 'localhost' since it has
> no '.', but 'localhost.' doesn't work either, since the implementation
> specifically checks for '.' within the string.  So it'll cause problems
> here either way, but...
>   [...]
> I'd say that's a mistake, and not one amavisd-new should be trying
> particularly hard to avoid.  On my systems, I reject any HELO coming from
> the outside that looks like localhost, the box's own addresses or domain
> names, the RFC 2606 reserved names, and a handful of common pseudo-TLDs,
> including '.localdomain'.  But it's perfectly fine to use 'localhost' over
> the loopback:

Well, so far the 'localhost' seems to have caused least surprises.
Initially the default was to use $myhostname, but that caused Postfix
to complain about mail looping. I agree that 'localhost.' may indeed
be a little bit better choice - but in the absence of 'search' or
'domain' in /etc/resolv.conf (at the MTA host) they are both the same.
Not sure if it is worth changing the defult, considering that the
reject_non_fqdn_helo_hostname will reject either.

  Mark