We're doing several checks for Spam at our Postfix mail server. One of them is checking HELO messages. Today we noticed that we were blocking valid mail servers with this check.
Many spammers send a HELO of a well known top-domain like “yahoo.com” - the real Yahoo servers will of course identify with something like “web52204.mail.re2.yahoo.com” instead of “yahoo.com” only. A perfect way to drop a lot of spam. Or so I thought.
The problem turned out to be that the HELO checks done through “check_helo_access hash:/etc/postfix/maps/helo_access” were matching subdomains, too.
The solution is simple. Just add the following to your ”/etc/postfix/main.cf”:
parent_domain_matches_subdomains = debug_peer_list, fast_flush_domains, mynetworks, permit_mx_backup_networks, qmqpd_authorized_clients, relay_domains
This will remove implicit subdomain matching from “smtpd_access_maps” checks. If you really want to check subdomains as well, just add a leading dot in your hash map. Eg. the following will reject “foo.cosmocode.de” but not “mx.yahoo.com”:
.cosmocode.de REJECT Bad HELO. You are not me. Go away!
yahoo.com REJECT Bad HELO. Go away!