### acl_25_local-config_check_helo -*-sh-*- ##################################### # This access control list is used after a helo command. acl_local_helo: # Accept commands received over a local interface, and from hosts # for which we relay mail. accept hosts = : +relay_from_hosts # Accept commands received over the submission port accept condition = ${if eq {$interface_port}{587}} # No pipelining if helo doesn't verify warn !verify = helo control = no_pipelining # Deny if HELO has no domain deny message = Server name $sender_helo_name is not a FQDN.\n\ Please contact your ISP or system adminstrator. log_message = HELO is a hostname !condition = ${extract{-2}{.}{$sender_helo_name}{true}} delay = TG_LONG # Deny if HELO is my address deny condition = ${if match_domain{$sender_helo_name}\ {NET_ADDRESS : $primary_hostname : +local_domains : +relay_to_domains}} message = Server name $sender_helo_name is not your name, it is mine.\n\ Please contact your ISP or system adminstrator. log_message = HELO is my address delay = TG_LONG # Deny if HELO is an IP address deny condition = ${if isip {$sender_helo_name}} message = Server name $sender_helo_name is IP address not a FQDN.\n\ Please contact your ISP or system adminstrator. log_message = HELO is an IP address delay = TG_LONG .ifdef STRICT_HELO_DOMAINS # Verify the HELO domain if it is invalid warn message = {$sender_helo_name}} does not belong to a valid domain.\n\ Please contact your ISP or system adminstrator. log_message = HELO host has a bogus domain !verify = helo !hosts = ${if exists{CONFDIR/local_broken_dns_whitelist}\ {CONFDIR/local_broken_dns_whitelist} {}} !condition = ${lookup dnsdb{defer_never,ns=\ ${extract{-2}{.}{$sender_helo_name}}.\ ${extract{-1}{.}{$sender_helo_name}}}{true}} delay = TG_STD .endif # Quietly add a long delay if host is DNS blacklisted warn !dnslists = list.dnswl.org dnslists = zen.spamhaus.org:bl.spamcop.net delay = TG_LONG # Deny if sender uses domain literal. We don't support them. deny message = We do not accecpt domain literals from the Internet.\n\ Please contact your ISP or system adminstrator. log_message = HELO used domain literal condition = ${if match {$sender_helo_name}{\N^\[.*\]$\N}{true}} !hosts = ${if exists{CONFDIR/local_host_whitelist}\ {CONFDIR/local_host_whitelist}{}} delay = TG_LONG # Accept if HELO is Allowed accept set acl_m9 = --ip $sender_host_address \ --helo \"$sender_helo_name\" \ --mail-from \"$sender_helo_name\" set acl_m9 = ${run{/usr/bin/spfquery $acl_m9}} condition = ${if = {$runrc}{0}{1}{0}} # Deny if HELO is forbidded by SPF deny message = SPF forbids use of $sender_host_name to send email from \ $sender_host_address.\nPlease contact your ISP or system adminstrator.\n\ SPF Results: $acl_m9. log_message = HELO SPF denies service condition = ${if = {$runrc}{1}{true}} delay = TG_LONG # Deny if SPF available and HELO is not an SPF approved sender deny message = SPF does not approve $sender_host_address to send email from \ $sender_helo_name.\n\Please use an approved address to send email.\n\ Please contact your ISP or system adminstrator.\n\ SPF Results: $acl_m9. log_message = HELO SPF deny $runrc !verify = reverse_host_lookup !verify = helo condition = ${if or{ {={$runrc}{2}} {={$runrc}{3}} }{true}} !hosts = ${if exists{CONFDIR/local_host_whitelist}\ {CONFDIR/local_host_whitelist}{}} delay = TG_SHORT # Defer if SPF available and HELO is not an SPF approved sender defer message = SPF does not approve $sender_host_address to send email from \ $sender_helo_name.\n\Please use an approved address to send email.\n\ Please contact your ISP or system adminstrator.\n\ SPF Results: $acl_m9. log_message = HELO SPF defer $runrc condition = ${if or{ {={$runrc}{2}} {={$runrc}{3}} }{true}} !hosts = ${if exists{CONFDIR/local_host_whitelist}\ {CONFDIR/local_host_whitelist}{}} # Defer if temporary errors while determining SPF status defer message = Temporary error while checking SPF (Sender Policy Framework) log_message = HELO SPF defer $runrc condition = ${if = {$runrc}{5}{true}} # Accept the command accept # EOF