We have an smtpd_helo_restriction of reject_unknown_helo_hostname that regularly fails for one of our (very) large correspondents. As it turns out the reason is quite legitimate, the helo identity fqdn issued from several of their email gateways does not match up to the IP address that they are using. There nothing much one can do about that save exempting their domain in the helo_checks map.
However, in tracking this down I discovered that they were using multiple PTR records to reverse map the same IP address back to multiple hosts. My research indicates that the practice of multiple PTR records for a single IP address is permitted. When I do a dig -x on the IP address of the mail hosts that are rejected by our configuration I get back three PRT records (none of which happen to map to the helo ID fqdn transmitted but that is another matter). My question is: Does Postfix detect and handle this situation? While it is certainly atypical specifying multiple PTR records apparently is a permitted condition. If the helo/ehelo fqdn issued by one of their mail hosts matches any one of the three PRT records for the IP address they are connecting from then would the reject_unknown_helo_hostname restriction reject or permit the connection? dig -x 192.168.0.1 192.168.0.1 IN PTR mail1.domain.tld. 192.168.0.1 IN PTR mail2.domain.tld. 192.168.0.1 IN PTR mail3.domain.tld. If mail3.domain.tld connected from 192.168.0.1 what would be the result; assuming that reject_unknown_helo_hostname is in effect and domain.tld is not excepted in the helo_checks map? -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:[email protected] Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
