base.m4: More subtle handling of HELO greetings.

Rather than rejecting incorrect HELO greetings, we make two adjustments:

  * There's now an auxiliary list, `helo.conf', of manually provided
    exceptions, for well-known and basically honest hosts which are just
    misconfigured.

  * A failure to provide a correct HELO greeting now results in a
    BADHELO warning header rather than an immediate rejection.
    SpamAssassin has been configured to notice these headers and assign
    points for them, because they do seem to be a good indicator of
    spamminess.

diff --git a/base.m4 b/base.m4
index 9182a7c7e9d46db20135a785ab88c44cffa4a34a..e779a1a8f9a3d2d1719b74ccfc2512b28250493e 100644 (file)
--- a/base.m4
+++ b/base.m4
@@ -98,8 +98,23 @@ SECTION(global, acl)m4_dnl
 acl_smtp_helo = helo
 SECTION(acl, misc)m4_dnl
 helo:
-       require  message = The other one has bells on
-                verify = helo
+       ## Check that the caller's claimed identity is actually plausible.
+       ## This seems like it's a fairly effective filter on spamminess, but
+       ## it's too blunt a tool.  Rather than reject, add a warning header.
+       ## Only we can't do this the easy way, so save it up for use in MAIL.
+       ## Also, we're liable to get a subsequent HELO (e.g., after STARTTLS)
+       ## and we should only care about the most recent one.
+       warn     set acl_c_helo_warning = false
+               !condition = \
+                       ${if exists {CONF_sysconf_dir/helo.conf} \
+                            {${lookup {$sender_helo_name} \
+                                      partial0-lsearch \
+                                      {CONF_sysconf_dir/helo.conf} \
+                                      {${if match_ip \
+                                            {$sender_host_address} \
+                                            {$value}}}}}}
+               !verify = helo
+                set acl_c_helo_warning = true
 
        accept
 
@@ -108,6 +123,15 @@ acl_smtp_mail = mail
 SECTION(acl, mail)m4_dnl
 mail:
 
+       ## If we stashed a warning header about HELO from earlier, we should
+       ## add it now.
+       warn     condition = $acl_c_helo_warning
+                add_header = :after_received:X-Distorted-Warning: \
+                       BADHELO \
+                       Client's HELO doesn't match its IP address.\n\t\
+                       HELO name = $sender_helo_name, \
+                       address = $sender_host_address
+
        ## Always allow the empty sender, so that we can receive bounces.
        accept   senders = :