Re: setting smtpd_helo_restrictions rejects exchange servers

Thu, 05 Feb 2009 12:59:58 -0800 

Steve Lindemann a écrit :
> Searched docs and archives and I'm not seeing it...
> (postconf -n at end)
> 
> Situation:
> 
> changed config to:
> smtpd_helo_required = yes
> smtpd_helo_restrictions = permit_mynetworks,
> reject_invalid_helo_hostname, reject_unknown_helo_hostname
> 
> This causes legitimate email servers to be rejected (with a 450) and
> apparently most or all where m$ exchange servers.  Of course they think
> the problem is on my end.
> 

reject_unknown_helo_hostname is known to block "legitimate" mail, mostly
from misconfigured sites (but it will defer mail in case of DNS problems
even if the other side is well configured).

> changed config back to:
>     smtpd_helo_required = yes
>     smtpd_helo_restrictions = permit_mynetworks
> and the problem "went away"
> 

No reason to remove all the checks. you can use:

smtpd_helo_restrictions =
        reject_invalid_helo_hostname
        reject_non_fqdn_helo_hostname

you can also use check_helo_access to reject some "spammy" helos. for
example:

localhost       REJECT Invalid Helo
unreachable     REJECT Invalid Helo
.localhost      REJECT Invalid Helo
.arpa           REJECT Invalid Helo
.example        REJECT Invalid Helo
.example.com    REJECT Invalid Helo
.example.org    REJECT Invalid Helo
.example.net    REJECT Invalid Helo
.invalid        REJECT Invalid Helo
.test           REJECT Invalid Helo
.root           REJECT Invalid Helo
.local          REJECT Invalid Helo
.lokaal         REJECT Invalid Helo
.lan            REJECT Invalid Helo
.localdomain    REJECT Invalid Helo
.home           REJECT Invalid Helo
.domain         REJECT Invalid Helo
.private        REJECT Invalid Helo
.adsl           REJECT Invalid Helo
.inv            REJECT Invalid Helo
.firewall       REJECT Invalid Helo
.kornet         REJECT Invalid Helo
.belkin         REJECT Invalid Helo
.speedportw700v         REJECT Invalid Helo


> Questions:
> 
> 1) Is the problem really on my end with that config?

it's on the other end, but since many servers accept mail from them, the
problem is passed to you (the common "but we have no problem with other
servers". sigh).

> 2) If it is, how can I do better?

see above.

> 3) If it isn't, any suggestions for what to tell the exchange sys admins
> to fix on their end?
> 

if you have the courage, motivation and resources to educate the
universe, then good luck.


> [snip]

Reply via email to