Blocking Spammers with Postfix HELO Controls
There are certain questionable tools available online to bulk check entire email address lists. One of them is MailTester.com, which I’m going to use to illustrate how to block certain HELO messages. I encourage you to scan your mail log files and identify other fraudulent services and servers. Just keep in mind to use this carefully, to avoid blocking legitimate servers.
The file locations are for BSD systems and source installations. If you’re using Linux, adapt them accordingly.
Add the following to /usr/local/etc/postfix/main.cf:
# HELO RESTRICTIONS
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
check_helo_access hash:/usr/local/etc/postfix/helo_access,
permit
Afterwards, add the file /usr/local/etc/postfix/helo_access with the
following content:
mailtester.com REJECT Uhh... You're doing weird stuff to me. Stop it!
Run postmap -n /usr/local/etc/postfix/helo_access to evaluate the file and
create the relevant .db file.
Reload Postfix via service postfix reload.
Now, a HELO message is needed before other email servers can interact with
yours. This is good practice and widely implemented. If someone uses
MailTester.com, their tool identifies itself and gets kicked out with a Uhh... You're doing weird stuff to me. Stop it! message before it can check for valid
addresses.
An even more atomic solution is to add
disable_vrfy_command = yes
to main.cf. This completely disables the ability to check for valid emails
without actually attempting to send one to the address.