On Tue, Mar 27, 2012 at 03:43:08PM -0400, brian wrote: > On 12-03-27 03:30 PM, Ralf Hildebrandt wrote: > >* brian<postfix-l...@logi.ca>: > >>2.8.5-2~build1 (Ubuntu) > >> > >>Does anyone have an idea what might be going on with $myhostname > >>here? > >> > >>$ postconf -h myhostname > >>demeter.DOMAIN.org > >> > >>Mar 26 23:36:03 demeter postfix/smtpd[15657]: NOQUEUE: reject: > >>RCPT from bas10-montrealak-1128580898.dsl.bell.ca[67.68.199.34]: > >>504 5.5.2 <D7W9KDF1>: Helo command rejected: need fully-qualified > >>hostname; from=<administra...@domain.org> to=<m...@xxxxxxxx.com> > >>proto=ESMTP helo=<D7W9KDF1> > > > >67.68.199.34 used the HELO D7W9KDF1 when sending mail to > >m...@xxxxxxxx.com > > Ah, so this is her local machine? But she's relaying through > Postfix so shouldn't it identify itself as such to the remote > server?
I'm sure we can't guess what is going on from the little information provided. bas10-montrealak-1128580898.dsl.bell.ca[67.68.199.34] used "HELO D7W9KDF1" when sending mail to m...@xxxxxxxx.com ... this is all we know. If this is one of your users attempting to relay, you have a misconfiguration. You should never apply restrictions like reject_non_fqdn_helo_hostname to your own users. Most non-FQDN HELOs are either MUAs doing legitimate relay, or spam zombies. reject_non_fqdn_helo_hostname is safe and effective when used properly. Best practice is to separate submission from the MX mail on port 25. Users should not (and in many cases, cannot) use port 25 for sending mail from their MUAs. With " -o syslog_name=postfix/submission" on your submission smtpd command in master.cf, you can tell at a glance that it was a user (or attacker) on 587. -- http://rob0.nodns4.us/ -- system administration and consulting Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
