irulan.net

Blocking Spammers with Postfix HELO Controls

There are certain questionable tools available online to bulk check entire email address lists. One of them is MailTester.com, which I’m going to use to illustrate how to block certain HELO messages. I encourage you to scan your mail log files and identify other fraudulent services and servers. Just keep in mind to use this carefully, to avoid blocking legitimate servers.

The file locations are for BSD systems and source installations. If you’re using Linux, adapt them accordingly.

Add the following to /usr/local/etc/postfix/main.cf:

# HELO RESTRICTIONS
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
  permit_mynetworks,
  check_helo_access hash:/usr/local/etc/postfix/helo_access,
  permit

Afterwards, add the file /usr/local/etc/postfix/helo_access with the following content:

mailtester.com    REJECT Uhh... You're doing weird stuff to me. Stop it!

Run postmap -n /usr/local/etc/postfix/helo_access to evaluate the file and create the relevant .db file.

Reload Postfix via service postfix reload.

Now, a HELO message is needed before other email servers can interact with yours. This is good practice and widely implemented. If someone uses MailTester.com, their tool identifies itself and gets kicked out with a Uhh... You're doing weird stuff to me. Stop it! message before it can check for valid addresses.

An even more atomic solution is to add

disable_vrfy_command = yes

to main.cf. This completely disables the ability to check for valid emails without actually attempting to send one to the address.