> -----Original Message----- > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Joey > Sent: Wednesday, 17 December 2008 12:06 AM > To: postfix-users@postfix.org > Subject: RE: helo being rejected > > > -----Original Message----- > > From: owner-postfix-us...@postfix.org > [mailto:owner-postfix-us...@postfix.org] > > On Behalf Of MacShane, Tracy > > Sent: Monday, December 15, 2008 9:18 PM > > To: postfix-users@postfix.org > > Subject: RE: helo being rejected > > > > From: owner-postfix-us...@postfix.org > > [mailto:owner-postfix-us...@postfix.org] On Behalf Of Joey > > Sent: Tuesday, 16 December 2008 1:05 PM > > To: postfix-users@postfix.org > > Subject: helo being rejected > > > > > > > > Hello All, > > > > I have a clients who's email server is getting a lot of helo rejects > > from it (windows box). The client has a .NET domain for their servers > > ( hardware ) and a .COM for their email address. > > > > I manually had a conversation with my postfix server that has these > > settings: > > > > reject_invalid_helo_hostname, > > check_helo_access hash:/etc/postfix/helo_access, > > reject_invalid_helo_hostname, > > reject_non_fqdn_helo_hostname, > > > > [...] > > ===================== > > > > > > That error message is not coming from the *_helo_hostname checks, it
> > must be coming from your helo_access map. Show the transaction logging > > from the maillog and the contents of your helo_access. > > I see what you are saying... I have this in helo_access ... > > sendingserver.net REJECT Helo Check > sendingserver.com REJECT Helo Check > > Whoever set this up was trying from what I can tell to reject > spoofers from those domains... and had a rule to bypass their > own servers in mynetworks. > This basically brute force stopped it right? > > Thanks! > > Yep, it's common (and often explicitly recommended) to have a helo check that rejects external hosts that announce themselves with your own domain. I would suggest putting a more meaningful reject message - "REJECT External host spoofing internal HELO" or whatever, while ensuring that all the appropriate servers are in mynetworks, and that you have permit_mynetworks occuring before the helo check.
