On 1/22/2018 8:36 PM, J Doe wrote: >>> smtpd_helo_required = yes >>> smtpd_helo_restrictions = permit_mynetworks, >>> reject_unauth_pipelining, >>> reject_invalid_helo_hostname, >>> reject_non_fqdn_helo_hostname, >>> check_helo_access hash:/etc/postfix/helo_acl, >>> reject_unknown_helo_hostname, >>> permit >> >> reject_unknown_helo_hostname is likely to reject legit mail. Use >> with caution. > > Ok, although I checked man 5 postconf again for the definition: > > “Reject the request when the HELO or EHLO hostname has no DNS A or MX record.” > > Is there ever a case where a legitimate mail sender would not have either an > A (and I assume if it is an IPv6 sender an AAAA record), or a MX record ?
Yes, it's not terribly unusual for a legit HELO hostname to not resolve. > > The other way I had looked at it was that since the SMTP error code for this > is 4xx, if it does reject a legitimate sender the sender would queue the > message and try again. ... retry again and again for days and days. Set the error codes to 5xx after a suitable testing period. > I would assume that not having A/AAAA or MX would be transient for a > legitimate sender. postfix will always use a 4xx code for a transient DNS error. The HELO hostname is treated differently from the client hostname and the sender email domain. It's not unusual for the HELO hostname to be non-resolvable, AND having a non-resolvable HELO hostname isn't a particularly strong spam indicator. Strong spam indicators for the HELO are (note: this is for mail coming from the internet. Authenticated submission mail or legit mail from devices on your network might break any of these) - a dynamic hostname (eg. 89-73-46-234.dynamic.chello.pl, which resolves just fine) - my own hostname or localhost (old spammer trick still in use) - a bare IP address nn.nn.nn.nn (disallowed by RFC) - an ip literal eg. [nn.nn.nn.nn] (allowed by RFC; but IME always spam) -- Noel Jones
