[CentOS] postfix - reject of incoming mail due to helo check??

Fri Feb 3 19:01:13 UTC 2012
Stephen Harris <lists at spuddy.org>

On Fri, Feb 03, 2012 at 12:14:13PM -0600, Les Mikesell wrote:
> On Fri, Feb 3, 2012 at 10:28 AM, Reindl Harald <h.reindl at thelounge.net> wrote:
> >
> > it is quite easy to know the mail-flow and from what public
> > interface mails are going out and hwatever that ip is get
> > a A-Record and matching PTR and that is what "myhostname"
> > has to be set to
> 
> RFC quote, please.

In this, Les is correct.  The RFCs merely say the HELO needs to _a_ valid
identifier for the host.  Indeed this discussion was on this list back in 
July ("SPAM on the List") where I pointed out that RFC 5321 says

   =~=~=~=~=~=
   4.1.1.1.  Extended HELLO (EHLO) or HELLO (HELO)

      These commands are used to identify the SMTP client to the SMTP
      server.  The argument clause contains the fully-qualified domain name
      of the SMTP client, if one is available.  In situations in which the
      SMTP client system does not have a meaningful domain name (e.g., when
      its address is dynamically allocated and no reverse mapping record is
      available), the client SHOULD send an address literal (see
      Section 4.1.3).

   You only need to follow 5321 requirements which do _not_ require the
   host to identify it as matching the specific interface; it merely needs
   to identify as a valid A record (or address literal) for the client system.

   There's nothing to say that the client system need be listening to port
   25 (or be open to port 25 connections; firewalls for example), so anyone
   performing HELO (or EHLO) address verification is pretty much limited
   to the 2.3.5 requirement; that the passed name is _a_ valid name.  Which
   is, AFAIK, all postfix does.
   =~=~=~=~=~=
   
The HELO value does need to be valid, but it _need not_ match the
IP address being used to communicate.

-- 

rgds
Stephen