These are 2 different things.
Unknow hostname is a missing PTR record For that you can use : smtpd_client_restrictions = ... "unknown" is also the name in the case of a temporary dns lookup failure. so using 5xx for all "unknown" is not a good idea. # reject_unknown_client_hostname: requires that the address->name and name->address mappings exist, but also that the two mappings reproduce the client IP address # reject_unknown_reverse_client_hostname: Reject the request when the client IP address has no address->name mapping. This is a weaker restriction than the reject_unknown_client_hostname Greetz, Louis > -----Oorspronkelijk bericht----- > Van: tn-post...@saarcube.de [mailto:owner-postfix-us...@postfix.org] > Namens Thomas Nagel > Verzonden: donderdag 7 januari 2016 14:18 > Aan: Postfix users > Onderwerp: Helo Checks not always working? > > Hello, > > we encountered a strange behaviour. > > We enabled smtp_helo_restrictions: > > smtpd_helo_required = yes > > smtpd_helo_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > reject_unlisted_recipient, > # check_client_access hash:/etc/postfix/ > check_helo_access hash:/etc/postfix/check_helo_access > reject_invalid_helo_hostname > reject_non_fqdn_helo_hostname > reject_unknown_helo_hostname > > unknown_hostname_reject_code = 550 > > in the "check_helo_access" map there are only certain senders with their > special invalid HELOs whitelisted, but no "unknown" or the mentioned IP > adress. > > Most of the time connectors with invalid DNS Records are blocked like > this: > > > Jan 3 06:36:21 server postfix/smtpd[23338]: connect from > unknown[190.11.55.217] > Jan 3 06:36:22 server postfix/smtpd[23338]: NOQUEUE: reject: RCPT from > unknown[190.11.55.217]: 504 5.5.2 <190.11.55.217>: Helo command > rejected: need fully-qualified hostname; from=<> > to=<exam...@example.com> proto=SMTP helo=<190.11.55.217> > > - but sometimes we see this: > > Jan 5 16:43:30 server postfix/smtpd[13577]: connect from > unknown[195.22.126.188] > Jan 5 16:43:30 server postgrey[2604]: action=pass, reason=recipient > whitelist, client_name=unknown, client_address=195.22.126.188, > sender=i...@gmail.com, recipient=i...@example.com > Jan 5 16:43:30 server postfix/smtpd[13577]: B064010A1B5E: > client=unknown[195.22.126.188] > Jan 5 16:43:30 server postfix/cleanup[13133]: B064010A1B5E: > message-id=<20160105094329.fab7ffc87cc25...@gmail.com> > Jan 5 16:43:30 server postfix/qmgr[4924]: B064010A1B5E: > from=<i...@gmail.com>, size=2536, nrcpt=1 (queue active) > Jan 5 16:43:30 server postfix/smtpd[13577]: disconnect from > unknown[195.22.126.188] > > Shouldn't this be blocked when the helo restrictions are applied? So the > mail shouldn't actually be passed on? > > Thanks, > > Thomas.
