[CentOS] postfix - reject of incoming mail due to helo check??

Fri Feb 3 11:21:28 UTC 2012
Kai Schaetzl <maillists at conactive.com>

Rob Kampen wrote on Fri, 03 Feb 2012 10:08:09 +1300:

> My confusion is that a reverse lookup of the IP gives me the clients 
> domain (dropping the mail(x) subdomain) thus I assumed it was the helo 
> domain name - which does not have rDNS - that was causing the reject - 
> maybe it was just a timing error.

No, it wasn't, read the explanation of this check, see below. You may want 
to use reject_unknown_reverse_client_hostname instead. Actually, I've not 
been aware until now that it does more than checking the rDNS (or I had 
forgotten it in the meantime and had to be reminded :-).

reject_unknown_client_hostname (with Postfix < 2.3: reject_unknown_client)
Reject the request when 1) the client IP address->name mapping fails, 2) 
the name->address mapping fails, or 3) the name->address mapping does not 
match the client IP address. 
This is a stronger restriction than the 
reject_unknown_reverse_client_hostname feature, which triggers only under 
condition 1) above. 
http://www.postfix.org/postconf.5.html

> Final question for the list - does anyone use "reject_unknown_client" - 
> it has given me the most grief with legitimate clients that have poorly 
> administered domains.

I've been using the reject_unknown_client_hostname restriction on my own 
server(s) for years with no problems. But I'm not using it on client's 
servers. Looks like one day I knew what it does ;-) I think 
reject_unknown_client_hostname is a good restriction, but you may get too 
many "false" positives. There is no definitive RFC requirement that the 
mapping has to match. 
That's different for the simple rDNS lookup. I think it's defined in 
several RFCs (at least by loose interpretation) and also explained in 
every "mail server setup howto" and on Wikipedia. I usually point 
clients/admins to such a source and after a (not so long) while the sender 
mysteriously manages to have rDNS set up by his provider ... So, I would 
certainly recommend trying the less restrictive 
reject_unknown_reverse_client_hostname . As you pointed out lots of bots 
don't have rDNS, so they get rejected by this very effectively. And the 
false positive ratio is very low. Certainly lower for me than Sorbs (threw 
out Sorbs years ago).

Kai