On 9/13/2016 1:16 PM, Nikolaos Milas wrote: > Hello, > > We are running postfix v2.11.0 on CentOS 6.8 as a gateway server and > we have recently imposed helo restrictions. > > Few servers have problems sending us mail due to the helo restrictions: > > Sep 8 09:35:37 mailgw1 postfix/smtpd[18791]: NOQUEUE: reject: RCPT > from mail.ipta.demokritos.gr[143.233.230.2]: 450 4.7.1 > <Symantec.local>: Helo command rejected: Host not found; > from=<someu...@ipta.demokritos.gr> to=<ouru...@noa.gr> proto=ESMTP > helo=<Symantec.local> > > We have notified them that their helo answer is different than their > mail server name / FQDN (so as to change it) and they say that we > should not be restricting access due to this: > > "The HELO receiver MAY verify that the HELO parameter really > corresponds to the IP address of the sender. However, the receiver > MUST NOT refuse to accept a message, even if the sender's HELO command > fails verification. http://www.ietf.org/rfc/rfc1123.txt (section 5.2.5)" > > From your experience and knowledge: > > 1. How should we treat this issue? > > 2. How should we respond to the complaints? > For myself this comes down to a question of how important is mail with this domain that can't properly configure their mail server to send a proper FQDN HELO as well as how much spam does rejecting based off invalid HELO hostnames.
For myself looking at my logwatch reports for this month I reject
about 15-33% of the messages for either HELO/EHLO, unknown user,
recipient address, sender address or RBL each day. The HELO/EHLO
rejection rate is between 1-13% of the total rejections and varies quite
a bit from day to day. By far though most of my rejects come from RBLs.
I also run messages through Amavis for content filtering before
accepting into the queue at all and that tends to reject anywhere frmo
45-55% of the messages daily as well.
> 3. If we are supposed to remove these restrictions, which settings
> should we remove from our config to resolve the problem? Should we
> remove all of: reject_unknown_helo_hostname,
> reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname ?
>
I only have the following for my smtpd_*_restrictions:
smtpd_client_restrictions = reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net
smtpd_recipient_restrictions = reject_non_fqdn_recipient,
reject_unknown_recipient_domain, permit_mynetworks,
permit_sasl_authenticated, reject_unauth_pipelining,
reject_unauth_destination, reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname, reject_rbl_client zen.spamhaus.org,
reject_rbl_client bl.spamcop.net, check_policy_service
unix:private/policyd-spf, permit
smtpd_sender_restrictions = reject_non_fqdn_sender,
reject_unknown_sender_domain, check_sender_mx_access
cidr:/etc/postfix/drop.cidr, check_sender_ns_access
cidr:/etc/postfix/drop.cidr, check_sender_mx_access
cidr:/etc/postfix/bogon_networks.cidr, check_sender_access
pcre:/etc/postfix/sender_access, reject_rhsbl_sender
dsn.rfc-ignorant.org,
permit_sasl_authenticated, permit_mynetworks, permit
>
> Thanks in advance,
> Nick
>
>
smime.p7s
Description: S/MIME Cryptographic Signature
