On Sat, Mar 20, 2021 at 08:23:20PM -0400, Wietse Venema wrote:
> David Mehler:
> > I don't want to blanket disable reject_unknown_helo_hostname is there
> > a way I can set a helo exception for this one host/sender?
>
> Yes you can.
>
> smtpd_recipient_restrictions =
> ...
> reject_unauth_destination
> check_client_access inline:{example.com=permit}
> reject_unknown_helo_hostname
Since the OP has the rule in smtpd_helo_restrictions and also because
whitelisting by client hostname (dynamically derived from PTR + forward
lookup) is fragile, the rule I'd recommend would be:
smtpd_helo_restrictions =
...
check_helo_access inline:{bogus.example=permit}
reject_unknown_helo_hostname
This exempts the specific name that would otherwise be rejected,
but does so for all clients. One could instead permit any
HELO name from a particular IP block, where the problem client
lives:
main.cf:
cidr = cidr:${config_directory}/
smtpd_helo_restrictions =
...
check_client_access ${cidr}filter-helo.cidr
filter-helo.cidr:
192.0.2.0/24 DUNNO
0.0.0.0/0 reject_unknown_helo_hostname
Or, as Wietse suggested, if this becomes a game of whack-a-mole, just
forgo the rule that requires PTR records for the HELO name.
--
Viktor.
