## page was renamed from qmail/spp/badhelo ## page was copied from DnsTemplate ##master-page:HelpTemplate <> <> = sagredo = {{{ Installation and configuration I assume that you have already patched qmail with qmail-spp. If you are using my combined patch you are ok. }}} Download, compile and install: {{{ cd /usr/local/src wget https://notes.sagredo.eu/files/qmail/patches/qmail-spp/plugins/helodnscheck/helodnscheck7.c gcc -o /var/qmail/plugins/helodnscheck helodnscheck7.c -lresolv }}} Now enable the plugin, adding it to /var/qmail/control/smtpplugins in the [helo] section: {{{ [helo] plugins/helodnscheck }}} == 複雑 == Then enable qmail-spp and set up the plugin parameters to your needs. I suggest the following in your qmail-smtpd run file: export ENABLE_SPP=1 export HELO_DNS_CHECK=PLRIV In this way only bad HELOs of type 1 (I) and 2 (V) will be denied unless RELAYCLIENT is defined (R). All other DNS failures will pass through (P) and each of them will be logged (L). Be aware that the HELO check can't work well on the submission port, where your IP cannot match the HELO, so you don't have to define HELO_DNS_CHECK in your qmail-submission run file. Of course you can define HELO_DNS_CHECK via tcprules or whitelist a particular IP via NOHELODNSCHECK as follows: 111.222.333.444:allow, NOHELODNSCHECK="" :allow,HELO_DNS_CHECK="PLRIV" The program's behaviour is defined in the HELO_DNS_CHECK variable: {{{ [default] - deny if HELO doesn't solve to a record P - passthrough, don't deny even when HELO doesn't solve to A record (of course, use with L and/or H) B - Block if TCPREMOTEIP is not contained in the solved addresses L - Log H - add Header "X-Helo-Check" R - if "RELAYCLIENT" is set, don't do anything D - Debug mode (use with L) V - Block if "RELAYCLIENT" is NOT set and the HELO is one of our IPs contained in control/moreipme. "localhost" will be denied as well. You don't want to use it together with B. I - Invalid hostname in HELO/EHLO (not solving) are denied. Using this one together with B is redundant. The above can be combined, so BL means block & log if TCPREMOTEIP is not set. Note: If there is no HELO/EHLO argument, it defaults to a permanent block. }}} == history == {{{ }}} ---- CategoryDns CategoryWatch CategoryTemplate