Block ip-based helo at MTA (#8139).

Numeric helo is a very strong indicator of spam. When this is blocked, a
very significant amount of spam stops.

Change-Id: Ieb340190faf37638950d1aa60b52268659e0b7f6

2 files changed, 8 insertions, 1 deletions

diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp
index f406ad34..9678c205 100644
--- a/puppet/modules/site_postfix/manifests/mx/checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/checks.pp
@@ -1,3 +1,4 @@
+# management of specific MTA checks
 class site_postfix::mx::checks {
 
   file {
@@ -13,6 +14,12 @@ class site_postfix::mx::checks {
       mode    => '0644',
       owner   => root,
       group   => root;
+
+    '/etc/postfix/checks/helo_checks.pcre':
+      source => 'puppet:///modules/site_postfix/checks/helo_access.pcre',
+      mode   => '0644',
+      owner  => root,
+      group  => root;
   }
 
   exec {
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 291d7ee4..162e6d86 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -28,7 +28,7 @@ class site_postfix::mx::smtpd_checks {
     'smtps_relay_restrictions':
       value => 'permit_mynetworks, permit_tls_clientcerts, defer_unauth_destination';
     'smtps_helo_restrictions':
-      value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit';
+      value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, check_helo_access pcre:$checks_dir/helo_checks.pcre, permit';
     'smtpd_sender_restrictions':
       value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit';
     }