[Mimedefang] filter_relay, HELO checks, and minimal filter

Martin J. Dellwo dellwo at 3dp.com
Thu Aug 14 13:56:02 EDT 2003 

I am attempting to implement some of the HELO checks suggested for 
filter_relay and have some questions.

First, I had no difficulty creating filter_relay in mimedefang-filter, 
but then how do I invoke it?:)  I intend to go trolling in the man 
pages, so maybe that will tell me the answer...

Second, I note that 2% of the messages incoming to our server in the 
last week, out of about 21,000 messages, have HELO statements saying 
HELO 66.250.41.20.  This 'all-numeric' HELO is using the address 
assigned as static NAT by our firewall!!  Only another 0.6% HELO lines 
use numeric-only HELOs, so I intend to block all IP-address-only HELOs. 
  Is this something I could be dealing with more easily using and 
access.db?  If so, how?  I've been wondering how to block incoming mail 
to things like 'adm', 'bin', 'man' and other standard unix account 
names, that don't originate within our domain.  What is the proper way 
to do this using access.db?  Are there particular IDs such as 'root' or 
'postmaster' I need to leave alone?

Third, currently I am accepting email on one server and forwarding it in 
to a spam-filtering server on the inside, that then forwards to an 
internal Exchange server.  Originally I tried running mimedefang/SA 
directly on the gateway mail server, but it quickly got hosed (a few 
versions back, and it is an SGI).  Now, in order to do these HELO checks 
properly, I need to run it again on the gateway.  My idea was to use a 
very minimal filter with the SA lines commented out, in hopes that this 
will reduce the load and the machine won't get hosed.   Any comments on 
this idea?  The idea is some mail will get rejected at the gateway, and 
the rest will get checked again and SA-checked on the filtering host.

Lastly, on a slightly different topic, I see that many of the quarantine 
   actions have messages such as "An attachment named $fname was 
removed...."  Not being a perl expert, what would I do to throw quotes 
around $fname to distinguish it in the output?  Just "An attachment 
named \"$fname\" was removed..." ?  Or perhaps $fname should be replaced 
by \n\n$fname\n\n to set it apart.  The problem is that many $fname have 
  long weird names with spaces and it is hard for the user to 
distinguish the filename from the rest of the warning message.  I'd 
probably lke to through quotes around $type in the message with "An 
attachment of type $type, named $fname..." as well.  Perhaps this could 
be added to the default suggested filter in the next release.
-- 
Martin J. Dellwo   (610) 458-5264 x6512   dellwo at 3dp.com
Systems Administrator, 3-Dimensional Pharmaceuticals, Inc.
http://www.3dp.com/

More information about the MIMEDefang mailing list