Blocking Spammers with Postfix HELO Controls
There are certain questionable tools available online to bulk check entire email address lists. One of them is MailTester.com, which I’m going to use to illustrate how to block certain HELO messages. I encourage you to scan your mail log files and identify other fraudulent services and servers. Just keep in mind to use this carefully, to avoid blocking legitimate servers.
The file locations are for BSD systems and source installations. If you’re using Linux, adapt them accordingly.
Add the following to
# HELO RESTRICTIONS smtpd_delay_reject = yes smtpd_helo_required = yes smtpd_helo_restrictions = permit_mynetworks, check_helo_access hash:/usr/local/etc/postfix/helo_access, permit
Afterwards, add the file
/usr/local/etc/postfix/helo_access with the following content:
mailtester.com REJECT Uhh... You're doing weird stuff to me. Stop it!
postmap -n /usr/local/etc/postfix/helo_access to evaluate the file and create the relevant
Reload Postfix via
service postfix reload.
Now, a HELO message is needed before other email servers can interact with
yours. This is good practice and widely implemented. If someone uses
MailTester.com, their tool identifies itself and gets kicked out with a
Uhh... You're doing weird stuff to me. Stop it! message before it can check for valid addresses.
An even more atomic solution is to add
disable_vrfy_command = yes
main.cf. This completely disables the ability to check for valid emails
without actually attempting to send one to the address.