summaryrefslogtreecommitdiff
path: root/puppet
diff options
context:
space:
mode:
authorMicah <micah@leap.se>2016-07-12 11:20:58 -0400
committerMicah <micah@leap.se>2016-07-19 10:44:11 -0400
commitbbdc193f05cb2f1624d6c7bbffd27f8060de35c8 (patch)
tree5afe409027ccc69fd7d3c1895e39bb1800c9d2d0 /puppet
parent68544ba2ffdfa988c060b3b4c5bd075f7304a022 (diff)
Block ip-based helo at MTA (#8139).
Numeric helo is a very strong indicator of spam. When this is blocked, a very significant amount of spam stops. Change-Id: Ieb340190faf37638950d1aa60b52268659e0b7f6
Diffstat (limited to 'puppet')
-rw-r--r--puppet/modules/site_postfix/files/checks/helo_access.pcre2
-rw-r--r--puppet/modules/site_postfix/manifests/mx/checks.pp7
-rw-r--r--puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp2
3 files changed, 10 insertions, 1 deletions
diff --git a/puppet/modules/site_postfix/files/checks/helo_access.pcre b/puppet/modules/site_postfix/files/checks/helo_access.pcre
new file mode 100644
index 00000000..4ebd42e6
--- /dev/null
+++ b/puppet/modules/site_postfix/files/checks/helo_access.pcre
@@ -0,0 +1,2 @@
+!/[[:alpha:]]/ REJECT Numeric HELO is a sign of spam, please contact us if this is in error
+
diff --git a/puppet/modules/site_postfix/manifests/mx/checks.pp b/puppet/modules/site_postfix/manifests/mx/checks.pp
index f406ad34..9678c205 100644
--- a/puppet/modules/site_postfix/manifests/mx/checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/checks.pp
@@ -1,3 +1,4 @@
+# management of specific MTA checks
class site_postfix::mx::checks {
file {
@@ -13,6 +14,12 @@ class site_postfix::mx::checks {
mode => '0644',
owner => root,
group => root;
+
+ '/etc/postfix/checks/helo_checks.pcre':
+ source => 'puppet:///modules/site_postfix/checks/helo_access.pcre',
+ mode => '0644',
+ owner => root,
+ group => root;
}
exec {
diff --git a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
index 291d7ee4..162e6d86 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtpd_checks.pp
@@ -28,7 +28,7 @@ class site_postfix::mx::smtpd_checks {
'smtps_relay_restrictions':
value => 'permit_mynetworks, permit_tls_clientcerts, defer_unauth_destination';
'smtps_helo_restrictions':
- value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, permit';
+ value => 'permit_mynetworks, check_helo_access hash:$checks_dir/helo_checks, check_helo_access pcre:$checks_dir/helo_checks.pcre, permit';
'smtpd_sender_restrictions':
value => 'permit_mynetworks, reject_non_fqdn_sender, reject_unknown_sender_domain, permit';
}