[CentOS] postfix - reject of incoming mail due to helo check??

Thu Feb 2 10:10:06 UTC 2012
Ljubomir Ljubojevic <office at plnet.rs>

On 02/02/2012 11:01 AM, Rob Kampen wrote:
> Hi list,
> I have been getting the following types of log messages
>
> Jan 30 08:22:33 ndgonline postfix/smtpd[30538]: NOQUEUE: reject: RCPT
> from unknown[71.46.229.50]: 450 4.7.1 Client host rejected: cannot find
> your hostname, [71.46.229.50]; from=<DWoodman at orangebankfl.com>
> to=<rkampen at ndgonline.net>  proto=ESMTP helo=<mail.floridianbank.com>
>
> a rdns check shows all is well with 71.46.229.50 - it belongs to the
> from senders domain name.
>
> ;; ANSWER SECTION:
> 50.229.46.71.in-addr.arpa. 777    IN    PTR    mail2.orangebankfl.com.
>
> It seems it is being rejected due to the helo domain name - which does
> not have a correct rdns.
>
> My problem is that I do not specify the helo check??
>
> this is the relevant portion of main.cf
>
> <snip>
> smtpd_helo_required = yes
> smtpd_delay_reject = yes
> #added 20090410
> strict_rfc821_envelopes = yes
> smtpd_helo_restrictions =
>      permit_mynetworks,
>      reject_non_fqdn_helo_hostname,
>      reject_invalid_helo_hostname,
>      permit
>
> smtpd_sender_restrictions =
>     permit_mynetworks,
>     permit_sasl_authenticated,
>     reject_non_fqdn_sender,
>     reject_unknown_client,
>     reject_unauthenticated_sender_login_mismatch,
>     permit
>
> smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_map
>
> smtpd_client_restrictions =
>     check_client_access hash:/etc/postfix/access
>
> smtpd_recipient_restrictions =
>     reject_unauth_pipelining,
>     reject_non_fqdn_recipient,
>     reject_unknown_sender_domain,
>     reject_unknown_recipient_domain,
>     permit_mynetworks,
>     permit_sasl_authenticated,
>     reject_unauth_destination,
>     check_sender_access hash:/etc/postfix/sender_access,
>     check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
>     check_helo_access pcre:/etc/postfix/helo_checks,
>      reject_rbl_client sbl-xbl.spamhaus.org,
>      reject_rbl_client cbl.abuseat.org,
>      reject_rbl_client dul.dnsbl.sorbs.net,
>     check_policy_service unix:postgrey/socket,
>     permit
>
> #  reject_unauthenticated_sender_login_mismatch
>
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_security_options = noanonymous
> #, noplaintext
> broken_sasl_auth_clients = yes
>
> </snip>
>
> so no reject_unknown_helo_hostname check - so why is it throwing them out?
>

mail.floridianbank.com != mail2.floridianbank.com

culprit => reject_non_fqdn_helo_hostname

but I would not disable it.


-- 

Ljubomir Ljubojevic
(Love is in the Air)
PL Computers
Serbia, Europe

Google is the Mother, Google is the Father, and traceroute is your
trusty Spiderman...
StarOS, Mikrotik and CentOS/RHEL/Linux consultant