This plugin provides an ability to reject, defer or add it's helo name checking results to message header.
IMPORTANT: This plugin is written for and tested with mailfront 2.00 but should work with version 1.12 and above.
If set, sender's mail will be rejected with repy code 554. This take preference of $HELO_CHECK_DEFER.
If set, sender's mail will be deferred with repy code 421.
If set, this plugin will be skipped.
If set, this plugin will be skipped.
If set and empty, this plugin will be skipped.
If set, this plugin will check helo hostname and remotehost whether both are the same otherwise add headers or defer or reject accordingly.
If set, this plugin will check helo name A records and remoteip whether both are the same otherwise add headers or defer or reject accordingly. If both are the same, add headers and skip the rest of the checks.
If set, this plugin will check the first 3 octets of remoteip against helo name A records. If there isn't a match, add headers or defer or reject accordingly. If there is, add headers and skip the rest of the checks.
If set, this plugin will make sure the PTR record resolves to the same given helo name. If this is not set, this plugin will only check for PTR record of the given helo name's IP exists.
If set, this plugin will log its checking to stderr.
If all the mentioned variables not set and sender is not authenticated, this plugin will add it's helo name checking in each message header.
When sender issue HELO command, this plugin will set the environment variable $SENDER_HELO_HOSTNAME to the sender given helo name and do it's helo checking.
The following will be rejected, deferred or add to message headers accordingly to the environment variables configuration:
HELO (empty) HELO localhost (without a period) HELO .com (starts with a period) HELO fake.com. (ends with a period) HELO !@#$%^&* (characters not normally allowed in domain names) HELO [192.168.1.1] (starts with [ or ends with ]) HELO 192.168.1.1 (IPv4 Address not allowed)
If $HELO_CHECK_REMOTEHOST is set, then the helo name must match the remotehost name.
If $HELO_CHECK_REMOTEIP is set, then one of the helo name's A record must match the remoteip.
If $HELO_CHECK_REMOTEIP_MATCH is set, then one of the helo name's A record must match the first 3 octets of remoteip.
None
If $HELO_CHECK_REJECT or $HELO_CHECK_DEFER not set, this plugin will add it's helo name checking result to the message header otherwise it will reject or defer accordingly if sender is not authenticated.
X-HELO-Check-Result: PASSED X-HELO-Check-Summary: There is 1 A record for sender_helo_name, 1 PTR record and 1 PTR record resolves to the same hostname.
This plugin will log to stderr as an example below if $HELO_CHECK_VERBOSE is set:
mailfront-plugin-check-helo[pid]: Start checking heloname=sender_helo_name mailfront-plugin-check-helo[pid]: ip[0]=sender_ip ptr[0]=sender_hostname_from_ptr_lookup ptr=YES|NO ipmatch=YES|NO ptrcheck=PASSED|FAILED
NOTE: If ip[N] and ptr[N] are the same means PTR DNS lookup for the ip failed.
None