In the postscreen(8) man page, postscreen_helo_required is described in
the "AFTER 220 GREETING TESTS" and the POSTSCREEN_README says nothing of
it. By implication, since it defaults to $smtpd_helo_required, the man
page implies that if smtpd_helo_required=yes, any unfamiliar client
would be subject to the greylisting-like treatment that comes from
enabling any of the other "deep" tests: "If a client passes all tests
during this phase, it will receive a 4XX response to all RCPT TO
commands." This strikes me as an undesirable and surprising consequence
of switching on smtpd_helo_required, however that fortunately seems NOT
to be what actually happens. I hope that this is intentional and that
one would need to explicitly set one of the other parameters listed in
"AFTER 220 GREETING TESTS" to a non-default value to trigger the
greylisting-like behavior (i.e. turn on one of the enable switches or
set postscreen_helo_required, postscreen_disable_vrfy_command or
postscreen_forbidden_commands to something other than references to
their smtpd analogs.)
I am sure that I am not alone in this interpretation of the
documentation, since the issue was actually raised with me by a customer
who is more diligent about reading documentation than many actual mail
admins. While I can demonstrate that smtpd_helo_required=yes DOES NOT
result in pointless deferrals and I can argue that it logically NEED NOT
because postscreen can be sure that its constraint matches that of
smtpd, I have been unable to find anything in postscreen(8),
postconf(5), or POSTSCREEN_README that would make a Postfix neophyte
confident that it SHALL NOT.
In case there's uncertainty or doubt about actual behavior, I tested my
personal public MX from a faraway non-related & non-trusted host:
$ telnet toaster.scconsult.com 25
Trying 67.149.19.4...
Connected to toaster.scconsult.com.
Escape character is '^]'.
220-toaster.scconsult.com ESMTP Postfix
220 toaster.scconsult.com ESMTP Postfix
ehlo REDACTED_HOSTNAME
250-toaster.scconsult.com
250-PIPELINING
250-SIZE 20480000
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-DSN
250 SMTPUTF8
mail from:<bill_cole@REDACTED_HOSTNAME>
250 2.1.0 Ok
rcpt to:<b...@scconsult.com>
250 2.1.5 Ok
quit
221 2.0.0 Bye
Connection closed by foreign host.
And from the mail server, the relevant settings:
toaster:log root# postconf |egrep '^myhostname|helo_req'
myhostname = toaster.scconsult.com
postscreen_helo_required = $smtpd_helo_required
smtpd_helo_required = yes
And the logging of the above test as well as a later connection showing
that postscreen had cached the PASS:
toaster:log root# fgrep REDACTED_IP mail.log
Mar 18 12:25:04 toaster postfix/postscreen[92876]: CONNECT from
[REDACTED_IP]:60651 to [67.149.19.4]:25
Mar 18 12:25:10 toaster postfix/postscreen[92876]: PASS NEW
[REDACTED_IP]:60651
Mar 18 12:25:11 toaster postfix/smtpd[92886]: connect from
REDACTED_HOSTNAME[REDACTED_IP]
Mar 18 12:25:38 toaster postfix/smtpd[92886]: 3qRVvQ2292z1ZRHw1:
client=REDACTED_HOSTNAME[REDACTED_IP]
Mar 18 12:25:54 toaster postfix/smtpd[92886]: disconnect from
REDACTED_HOSTNAME[REDACTED_IP] ehlo=1 mail=1 rcpt=1 quit=1 commands=4
Mar 18 13:02:33 toaster postfix/postscreen[97182]: CONNECT from
[REDACTED_IP]:63817 to [67.149.19.4]:25
Mar 18 13:02:34 toaster postfix/postscreen[97182]: PASS OLD
[REDACTED_IP]:63817
Mar 18 13:02:34 toaster postfix/smtpd[97191]: connect from
REDACTED_HOSTNAME[REDACTED_IP]
Mar 18 13:02:37 toaster postfix/smtpd[97191]: disconnect from
REDACTED_HOSTNAME[REDACTED_IP] quit=1 commands=1
