In message <56f6c728.2090...@megan.vbhcs.org> Noel Jones writes: > > On 3/26/2016 7:18 AM, Nicols wrote: > > Thanks Wietse and Rob, > > > > The client indeed uses SASL, but it gets rejected at HELO/EHLO time. > > I will observe these days if I can fence in a reduced CIDR range and > > use Wietse's approach, if not, I'll set up a Postfix local to the > > broken client, which indeed is a cleaner way than my original approach. > > > > Thanks! > > > > Nicols > > > > > If the client uses SASL, all you need to do is put > permit_sasl_authenticated before your reject_non_fqdn_helo_hostname. > > No need for a CIDR table or any other workarounds. > > smtpd_helo_restrictions = > permit_mynetworks > permit_sasl_authenticated > reject_non_fqdn_helo_hostname > ... any other stuff...
On http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions permit_sasl_authenticated is not listed. Which makes some sense since the HELO occurs before AUTH. HELO checks seem to be all IP and hostname related. > -- Noel Jones Am I missing something? Curtis > > > > -------- Mensaje original -------- > > De: wie...@porcupine.org > > Fecha:25/03/2016 17:56 (GMT+00:00) > > Para: Postfix users > > Asunto: Re: Hardware with non-FQDN EHLO > > > > Nicols: > >> Hi, > >> > >> I have some hardware which I've configured to send e-mails through > >> my Postfix server. Unfortunately, this hardware's firmware has > >> its' EHLO command hardcoded, not being it an FQDN. > >> > >> In Postfix, I've configured smtpd_helo_restrictions to > >> have?reject_non_fqdn_helo_hostname and I'm pretty happy with it > >> so I don't want to remove it, however it makes its' attempts to > >> get rejected. Another issue is that it's connections are made from > >> a dynamic IP address, so whitelisting its IP address is not an > >> option. However, it has a dynamic hostname which updates each time > >> it changes (a DynDNS-like host). > > > > Wrap the reject_non_fqdn_helo_hostname inside an access table: > > > > smtpd_mumble_restrictions = > > ...other stuff... > > check_client_access cidr:/etc/postfix/reject_non_fqdn_helo.cidr > > ...more stuff... > > > > /etc/postfix/reject_non_fqdn_helo.cidr: > > # Unlike hash files, cidr files are matched in the order of rules. > > # IPv4 > > 1.2.3.4 dunno > > 0.0.0.0/0 reject_non_fqdn_helo_hostname > > # IPv6 > > 1:2::3:4 dunno > > ::0/0 reject_non_fqdn_helo_hostname > > > > It's a bit clumsy with the CIDR patterns, but hash-based access > > maps don't have a wild-card pattern. > > > > Wietse
