Hello,
We are running postfix v2.11.0 on CentOS 6.8 as a gateway server and we
have recently imposed helo restrictions.
Few servers have problems sending us mail due to the helo restrictions:
Sep 8 09:35:37 mailgw1 postfix/smtpd[18791]: NOQUEUE: reject: RCPT from
mail.ipta.demokritos.gr[143.233.230.2]: 450 4.7.1 <Symantec.local>: Helo
command rejected: Host not found;
from=<someu...@ipta.demokritos.gr> to=<ouru...@noa.gr> proto=ESMTP
helo=<Symantec.local>
We have notified them that their helo answer is different than their
mail server name / FQDN (so as to change it) and they say that we should
not be restricting access due to this:
"The HELO receiver MAY verify that the HELO parameter really corresponds
to the IP address of the sender. However, the receiver MUST NOT refuse
to accept a message, even if the sender's HELO command fails
verification. http://www.ietf.org/rfc/rfc1123.txt (section 5.2.5)"
From your experience and knowledge:
1. How should we treat this issue?
2. How should we respond to the complaints?
3. If we are supposed to remove these restrictions, which settings
should we remove from our config to resolve the problem? Should we
remove all of: reject_unknown_helo_hostname,
reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname ?
Here is our postconf -n:
# postconf -n
allowed_list1 = check_client_access cidr:/etc/postfix/vmail.cidr,reject
allowed_list2 = check_client_access
cidr:/etc/postfix/internalnetworks.cidr,reject
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = smtp-amavis:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
default_process_limit = 50
disable_vrfy_command = yes
enable_long_queue_ids = yes
html_directory = no
inet_interfaces = all
inet_protocols = ipv4, ipv6
local_recipient_maps =
local_transport = error:local mail delivery is disabled
mail_name = NOA Mail Srv XAPITI XPICTOY
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
message_size_limit = 15728640
mydestination =
mynetworks = 127.0.0.1/32 [::1]/128
myorigin = $mydomain
newaliases_path = /usr/bin/newaliases.postfix
postscreen_access_list = permit_mynetworks,
cidr:/etc/postfix/postscreen_exceptions.cidr
postscreen_blacklist_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = b.barracudacentral.org*2, zen.spamhaus.org*2,
psbl.surriel.com*2
postscreen_dnsbl_threshold = 2
postscreen_greet_action = enforce
queue_directory = /var/spool/postfix
relay_domains = noa.gr, astro.noa.gr, admin.noa.gr, nestor.noa.gr
space.noa.gr, meteo.noa.gr, gein.noa.gr, technet.noa.gr
relay_recipient_maps =
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_helo_required = yes
smtpd_recipient_restrictions = check_client_access
hash:/etc/postfix/amavis_bypass check_sender_access
hash:/etc/postfix/blacklisted_senders reject_unverified_recipient
reject_unauth_destination check_recipient_access
hash:/etc/postfix/protected_destinations
check_reverse_client_hostname_access pcre:/etc/postfix/fqrdns.pcre
permit_mynetworks reject_invalid_hostname reject_unauth_pipelining
reject_non_fqdn_sender reject_unknown_sender_domain
reject_non_fqdn_recipient reject_unknown_recipient_domain
reject_unknown_helo_hostname reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname reject_rbl_client b.barracudacentral.org
reject_rbl_client zen.spamhaus.org reject_rbl_client psbl.surriel.com
reject_rbl_client bl.spamcop.net reject_rbl_client dnsbl.sorbs.net
reject_rhsbl_client dbl.spamhaus.org reject_rhsbl_sender
dbl.spamhaus.org reject_rhsbl_helo dbl.spamhaus.org check_policy_service
unix:postgrey/socket permit
smtpd_restriction_classes = allowed_list1,allowed_list2
transport_maps = hash:/etc/postfix/transportmap
unknown_local_recipient_reject_code = 550
unverified_sender_reject_code = 550
virtual_alias_maps = hash:/etc/postfix/virtualmap
Thanks in advance,
Nick
