Introduction

Last Updated: 07 Aug 2013 GMT +8.

A mailfront plugin to provide an ability to reject, defer or add it's HELO name checking results to message header.

Reference: http://www.linuxmagic.com/best_practices/valid_helo_domain.html

IMPORTANT: This plugin is written for and tested with mailfront 2.00 but should work with version 1.12 and above.


Environment Configuration (checks sequence)

  1. If $HELO_CHECK_SKIP is set, this plugin will be skipped

  2. If $RELAYCLIENT is set, add to message header and skip the remaining checks. Example of message header added:

    X-HELO-Check-Result: SKIPPED: $RELAYCLIENT is set for 1.2.3.4

  3. If sender is authenticated, add to message header and skip the remaining checks. Example of message header added:

    X-HELO-Check-Result: SKIPPED: authenticated user from 1.2.3.4

  4. If $RBLSMTPD is set and empty, add to message header and skip the remaining checks.

  5. If $HELO_CHECK_REMOTEHOST or $HELO_CHECK_REMOTEHOST_MATCH is set, this plugin will check ${PROTO}REMOTEHOST is not empty. If is empty, will do a DNS PTR lookup using ${PROTO}REMOTEIP and use the return value as ${PROTO}REMOTEHOST.

  6. If $HELO_CHECK_REMOTEHOST is set, this plugin will check HELO name is not empty. If it is empty, add to message header or defer or reject accordingly and skip the remaining checks. (Refer to $HELO_CHECK_ADD_HEADER, $HELO_CHECK_DEFER and $HELO_CHECK_REJECT) Example of message header added:

    X-HELO-Check-Result: FAILED
    X-HELO-Check-Summary: REMOTEHOST is empty and PTR DNS lookup for IP 1.2.3.4 failed

  7. If $HELO_CHECK_REMOTEHOST_MATCH is set, this plugin will check HELO name and ${PROTO}REMOTEHOST whether both are the same otherwise add to message header or defer or reject accordingly and skip the remaining checks. (Refer to $HELO_CHECK_ADD_HEADER, $HELO_CHECK_DEFER and $HELO_CHECK_REJECT) Example of message header added:

    X-HELO-Check-Result: FAILED
    X-HELO-Check-Summary: HELO name and REMOTEHOST doesn't match

  8. Check HELO name for the following:
    1. Cannot starts with ".", "[" and "-"
    2. Cannot ends with ".", "]" and "-"
    3. Must have at least a "." (dot)
    4. Cannot have any of the following characters besides TAB and SPACE:
      ~!@#$%^&*()_+={}[]:;"'<>,?/|
    5. Cannot use a valid IPv4 or IPv6 address

    NOTE: If any of the above checks failed, the remaining checks will be skipped. (Refer to $HELO_CHECK_ADD_HEADER, $HELO_CHECK_DEFER and $HELO_CHECK_REJECT) Example of message header added:

    X-HELO-Check-Result: FAILED
    X-HELO-Check-Summary: '.' found in last character of HELO name sender_set_HELO_name

  9. Do a DNS lookup for HELO name for A, AAAA and PTR records. If the DNS lookup failed due to no such name exists will skip all remaining checks and add to message header or defer or reject. (Refer to $HELO_CHECK_ADD_HEADER, $HELO_CHECK_DEFER and $HELO_CHECK_REJECT) Any other errors such as timeout etc. will result in skipping the remaining checks and message will be deferred with reply code 451 if $HELO_CHECK_REJECT or $HELO_CHECK_DEFER is set otherwise if $HELO_CHECK_ADD_HEADER is set will add to message header. Example of message header added:

    X-HELO-Check-Result: FAILED
    X-HELO-Check-Summary: DNS lookup error for HELO name sender_set_HELO_name

  10. If $HELO_CHECK_REMOTEIP is set, this plugin will check for a match of ${PROTO}REMOTEIP and HELO name IP. If there is a match, skip the remaining checks and add header if $HELO_CHECK_ADD_HEADER is set. If there is no match, add to message header or defer or reject. (Refer to $HELO_CHECK_ADD_HEADER, $HELO_CHECK_DEFER and $HELO_CHECK_REJECT) Example of message header added:

    X-HELO-Check-Result: PASSED
    X-HELO-Check-Summary: REMOTEIP matches sender_set_HELO_name's IP

  11. If $HELO_CHECK_REMOTEIP_MATCH is set, this plugin will check for a match the first 3 octets (within same class C) of ${PROTO}REMOTEIP if is a valid IPv4 address against helo name A records. If there isn't a match, add headers or defer or reject accordingly. If there is a match, add headers if $HELO_CHECK_ADD_HEADER and skip the rest of the checks. Example of message header added:

    X-HELO-Check-Result: SKIPPED
    X-HELO-Check-Summary: REMOTEIP 1.2.3.4 matches first 3 octets of sender_set_HELO_name's IP 1.2.3.50 (same class C)

  12. If $HELO_CHECK_PTR is set, this plugin will check the HELO name's A records to have at least one PTR record. If the check failed, it will add to message header or defer or reject accordingly. Example of message header added:

    X-HELO-Check-Result: FAILED
    X-HELO-Check-Summary: X-HELO-Check-Summary: PTR record not found for HELO name sender_set_HELO_name

  13. If $HELO_CHECK_PTR_MATCH is set, this plugin will check there is at least one of the PTR record resolves to the same given HELO name. If the check failed, it will add to message header or defer or reject accordingly. Example of message header added:

    X-HELO-Check-Result: FAILED
    X-HELO-Check-Summary: X-HELO-Check-Summary: PTR record doesn't resolves back to HELO name sender_set_HELO_name

  14. If $HELO_CHECK_REJECT is set, sender will be rejected with reply code 553 if any of the above checks failed.

  15. If $HELO_CHECK_DEFER is set, sender will be deferred with reply code 451 if any of the above checks failed. NOTE: $HELO_CHECK_DEFER takes precedence over $HELO_CHECK_DEFER.

  16. If $HELO_CHECK_ADD_HEADER is set, this plugin will add its checking result to each mail message header accepted.

  17. If $HELO_CHECK_VERBOSE is set, this plugin will log all its checking to stderr.


Sender Action

When sender issue HELO command, this plugin will set the environment variable $SENDER_HELO_HOSTNAME to the sender given helo name and do it's helo checking.

The following will be rejected, deferred or add to message headers accordingly to the environment variables configuration:

HELO (empty)
HELO localhost (without a period)
HELO .com (starts with a period)
HELO fake.com. (ends with a period)
HELO !@#$%^&* (characters not normally allowed in domain names)
HELO [192.168.1.1] (starts with [ or ends with ])
HELO 192.168.1.1 (IPv4 Address not allowed)

If $HELO_CHECK_REMOTEHOST is set, then the helo name must match the remotehost name.

If $HELO_CHECK_REMOTEIP is set, then one of the helo name's A/AAAA record must match the remoteip.

If $HELO_CHECK_REMOTEIP_MATCH is set, then one of the helo name's A/AAAA record must match the remoteip IP class.


Recipient Action

None

Data Action

If $HELO_CHECK_REJECT or $HELO_CHECK_DEFER not set, this plugin will add it's helo name checking result to the message header otherwise it will reject or defer accordingly if sender is not authenticated.

X-HELO-Check-Result: PASSED
X-HELO-Check-Summary: There is 1 A record for sender_helo_name, 1 PTR record and 1 PTR record resolves to the same hostname.

This plugin will log to stderr as an example below if $HELO_CHECK_VERBOSE is set:

mailfront-plugin-check-helo[pid]: Start checking heloname=sender_helo_name
mailfront-plugin-check-helo[pid]: ip[0]=sender_ip ptr[0]=sender_hostname_from_ptr_lookup ptr=YES|NO ipmatch=YES|NO ptrcheck=PASSED|FAILED

NOTE: If ip[N] and ptr[N] are the same means PTR DNS lookup for the ip failed.


Message Action

None

Requirements

  • mailfront version 2.00 or later (might work with earlier version)
  • bglibs version 1.104 or later (might work with earlier version)
  • libowfat (http://www.fefe.de/libowfat/)

Installation

  • Build and install mailfront
  • Switch back to this package
  • Adjust the contents of the conf-* files
  • Build the sources by running "make"
  • Install the plugin by running "make install"

Mailfront Plugins Configuration

Place check-helo in mailfront's plugin list. Depending on your setup:

  • edit the smtpfront-qmail shell script and place the string check-helo after add-received
  • edit the PLUGINS environment variable and place the string check-helo after add-received
  • place the argument check-helo after the add-received of the mailfront command

Set up environment as described in Environment Configuration above or plugin-check-helo.html which is included in the package.


License

This package is copyright © 2013 Giam Teck Choon or CHOON.NET, and may be copied according to the GNU GENERAL PUBLIC LICENSE (GPL) Version 2 or a later version. A copy of this license is included with this package. This package comes with no warranty of any kind.


Changes

  • 24 May 2013 GMT+8 : release version 0.01
  • Initial release
  • 25 May 2013 GMT+8 : release version 0.02
  • Add define macro MAX_DNSIP_RECORDS default to 10 if not define and update function check_hostname to have this limit
  • 30 May 2013 GMT+8 : release version 0.03
  • Fix plugin-check-helo.html
  • spec: Update and bump to version 0.03
  • Update plugin-check-helo.html
  • Update README
  • Add match_ipv4 function, implement $HELO_CHECK_REMOTEIP and $HELO_CHECK_REMOTEIP_MATCH
  • Add init_HostDNSIP function, redo struct HostDNSIP and free_HostDNSIP function
  • Implement support environment variable $HELO_CHECK_VERBOSE
  • 31 May 2013 GMT+8 : release version 0.04
  • Fix typo in resp.number to 421 instead of 451 if $HELO_CHECK_DEFER is set
  • Change return value in check_hostname function to actual ret value instead of 0
  • If ret == EAI_MEMORY return Out of Memory error in response in function response *sender besides int outofmemory greater than 0
  • If resp.number is greater than 0 and ret == EAI_NONAME, defer or reject accordingly in function response *sender otherwise defer the mail for remote MTA to retry later as failsafe
  • 07 Jun 2013 GMT+8 : release version 0.05
  • Change response numbers for defer (451) and reject (553) to follow what we used for rblsmtpd instead
  • Add support to skip this plugin if $RBLSMTPD is set and empty
  • Various bugs fixed mainly due to str_free() those not suppose to for static str declarations
  • Rename declaration of str errormsg to str estr
  • 23 Jun 2013 GMT+8 : release version 0.06
  • Add new define elogerr function and simplified those printing to stderr log
  • Change coding style to 2 spacing instead of using TAB as there is no reason to follow kernel coding style
  • Add $HELO_CHECK_PTR_MATCH support
  • Add $HELO_CHECK_ADD_HEADER support
  • Update README and plugin-check-helo.html
  • 07 Aug 2013 GMT+8 : release version 0.07
  • Fix typo in plugin-check-helo.html
  • Fix another typo in plugin-check-helo.html
  • Update Makefile
  • Update Makefile again
  • Add IPv6 support
  • Update doc and spec file
  • spec file: Add BuildRequires: libowfat-devel >= 0.29 and Requires: libowfat-shared

Download

Portal Log In/Sign In

Log In/Sign In to the Portal requires cookies and javascript.

×
×