[CentOS] postfix - reject of incoming mail due to helo check??

Thu Feb 2 10:01:52 UTC 2012
Rob Kampen <rkampen at kampensonline.com>

Hi list,
I have been getting the following types of log messages

Jan 30 08:22:33 ndgonline postfix/smtpd[30538]: NOQUEUE: reject: RCPT 
from unknown[71.46.229.50]: 450 4.7.1 Client host rejected: cannot find 
your hostname, [71.46.229.50]; from=<DWoodman at orangebankfl.com> 
to=<rkampen at ndgonline.net> proto=ESMTP helo=<mail.floridianbank.com>

a rdns check shows all is well with 71.46.229.50 - it belongs to the 
from senders domain name.

;; ANSWER SECTION:
50.229.46.71.in-addr.arpa. 777    IN    PTR    mail2.orangebankfl.com.

It seems it is being rejected due to the helo domain name - which does 
not have a correct rdns.

My problem is that I do not specify the helo check??

this is the relevant portion of main.cf

<snip>
smtpd_helo_required = yes
smtpd_delay_reject = yes
#added 20090410
strict_rfc821_envelopes = yes
smtpd_helo_restrictions =
    permit_mynetworks,
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    permit

smtpd_sender_restrictions =
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_non_fqdn_sender,
   reject_unknown_client,
   reject_unauthenticated_sender_login_mismatch,
   permit

smtpd_sender_login_maps = hash:/etc/postfix/smtpd_sender_login_map

smtpd_client_restrictions =
   check_client_access hash:/etc/postfix/access

smtpd_recipient_restrictions =
   reject_unauth_pipelining,
   reject_non_fqdn_recipient,
   reject_unknown_sender_domain,
   reject_unknown_recipient_domain,
   permit_mynetworks,
   permit_sasl_authenticated,
   reject_unauth_destination,
   check_sender_access hash:/etc/postfix/sender_access,
   check_recipient_access hash:/etc/postfix/roleaccount_exceptions,
   check_helo_access pcre:/etc/postfix/helo_checks,
    reject_rbl_client sbl-xbl.spamhaus.org,
    reject_rbl_client cbl.abuseat.org,
    reject_rbl_client dul.dnsbl.sorbs.net,
   check_policy_service unix:postgrey/socket,
   permit

#  reject_unauthenticated_sender_login_mismatch

smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
#, noplaintext
broken_sasl_auth_clients = yes

</snip>

so no reject_unknown_helo_hostname check - so why is it throwing them out?

Thanks for anyone's insight.