Replace Cluebringer by iRedAPD plugins

Issue #54 wontfix
Zhang Huangbin
repo owner created an issue

Major modules & features:

  • Greylisting. Must support server-wide, per-domain and per-user greylisting.

  • [?] HELO restrictions

    • HRP : helo randomization prevention. this will track every HELO/EHLO a host uses.
    • HRP Period : If the number of unique HELO/EHLO's exceeds HRP Limit in a period, email is rejected. Default: 2419200 seconds (28 days)
    • HRP Limit: Reject mail when the number of unique HELO/EHLO's hits this number. Default: 5
    • Reject invalid HELO
    • Reject NonLiteral IP
    • Reject NonResolvable Domain

    • [?] Maybe manage a plain text file used directly by Postfix (smtpd_helo_restrictions = ..., check_helo_access pcre:/path/to/file)

    • [?] PCRE compatible regular expression support?
    • [?] Widecard (*, %, ?) support?

Already implemented

  • Throttling (implemented by iRedAPD plugin throttle)

    • number of mails in specified period

      • per sender IP address
      • per sender email address
      • per sender domain
    • max size of single message

  • Greylisting

Comments (8)

  1. eXtremeSHOK

    Added extra info for HELO restrictions:

    HRP : helo randomization prevention. this will track every HELO/EHLO a host uses.

    HRP Period : If the number of unique HELO/EHLO's exceeds HRP Limit in a period, email is rejected. Default: 2419200 seconds (28 days)

    HRP Limit: Reject mail when the number of unique HELO/EHLO's hits this number. Default: 5

    Reject invalid HELO'

    Reject NonLiteral IP

    Reject NonResolvable Domain

    RFC 2821, page 29, section 4.1.1.1 describes the HELO/EHLO command and states the following "The argument field contains the fully-qualified domain name of the SMTP client …". Reject non-Literal IP RFC 2821, page 22, section 3.6 defines a domain as being fully qualified and resolvable… "Only resolvable, fully-qualified, domain names (FQDNs) are permitted when domain names are used in SMTP…. Local nicknames or unqualified names MUST NOT be used… The domain name given in the EHLO command MUST BE either a primary host name (a domain name that resolves to an A RR) or, if the host has no name, an address literal as described in section 4.1.1.1…". Therefore, this option rejects a non-literal IP being used in a helo. ie. a.b.c.d would be rejected whereas [a.b.c.d] would be allowed.

  2. Log in to comment