On Fri, Dec 23, 2022 at 09:51:48AM +0400, Samer Afach <[email protected]>
wrote:
> I see. Thank you for the explanation. So the right way to state this is that
> HELO/EHLO requires a valid FQDN/hostname only for MTAs, and for MUAs it's
> just ignored because authentication is what matters.
>
> Cheers,
> Sam
It's only ignored when configured to be ignored.
The way that the difference between port 25 and port
587 is implemented is that main.cf has settings for
smtpd_*_restrictions that are used for MTA-to-MTA
traffic on port 25, e.g.:
/etc/postfix/main.cf:
smtpd_helo_restrictions =
permit_mynetworks
check_helo_access hash:/etc/postfix/helo-access
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
# The following is unwise without the check_helo_access
# above and constant monitoring for false positives.
reject_unknown_helo_hostname
permit
And then master.cf contains services with overrides to the
settings in main.cf, and the overrides apply to the particular
service, e.g. for port 587:
/etc/postfix/master.cf:
submission inet n - y - - smtpd
-o syslog_name=postfix/$service_name
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_tls_auth_only=yes
-o smtpd_reject_unlisted_recipient=no
-o smtpd_client_restrictions=
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
The above submission service contains
smtpd_helo_restrictions= which replaces the
smtpd_helo_restrictions setting in main.cf but only for
connections that come in via port 587 which, thanks to
the overriding smtpd_tls_security_level=encrypt must be
encrypted, and thanks to the overriding
smtpd_relay_restrictions setting, must be
SASL-authenticated.
cheers,
raf
