smtpd_helo_restrictions = ..., reject_unknown_helo_hostname occasionally rejects mail I care about, how to handle?

Question

I have configured my postfix as follows:

smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_helo_hostname

This is working well because most spambots don't seem to have correct reverse lookups. But every once in a while I run into mail I care about getting reject, because the mail source server admin doesn't care about configuring his server correctly.

For example here the server introduces itself as "srv1.xbmc.org" which has no DNS record and fails my basic check.

Jan  6 04:42:36 mail postfix/smtpd[660]: connect from xbmc.org[205.251.128.242]
Jan  6 04:42:37 mail postfix/smtpd[660]: NOQUEUE: reject: RCPT from xbmc.org[205.251.128.242]: 450 4.7.1 <srv1.xbmc.org>: Helo command rejected: Host not found; from=<www-data@xbmc.org> to=<leho@domain.com> proto=ESMTP helo=<srv1.xbmc.org>

I have tried to contact the server admin several times, but there is no response. What is the optimal way to handle this from my side? Is adding these "special" hosts to mynetworks = my only option? Is perhaps my whole smtpd_helo_restrictions setup wrong in some significant way?

Answer 1

What is the optimal way to handle this from my side? you have 2 ways

Is adding these "special" hosts to mynetworks = my only option? No, it does

Is perhaps my whole smtpd_helo_restrictions setup wrong in some significant way? no, it has a general restriction rules.

The easiest way. You can skip checks for these host

smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, check_helo_access hash:/etc/postfix/helo_access, reject_unknown_helo_hostname

Add the following line to the file

srv1.xbmc.org OK

and create the map file

# postmap /etc/postfix/helo_access
# service postfix restart

The hard way. You need to create your own restriction class

smtpd_restriction_classes = sender_white_list
sender_white_list = check_client_access hash:/etc/postfix/check_client_access, reject

smtpd_helo_restrictions =  permit_mynetworks, permit_sasl_authenticated, check_helo_access hash:/etc/postfix/check_helo_access

/etc/postfix/check_helo_access
srv1.xbmc.org sender_white_list

/etc/postfix/check_client_access
205.251.128.242 OK

With such configuration helo name "srv1.xbmc.org" would be permitted only from host ip 205.251.128.242

Answer 2

As you noted, there is no forward DNS entry for the hostname given by the remote mail server.

$ host srv1.xbmc.org
Host srv1.xbmc.org not found: 3(NXDOMAIN)

This isn't a significant problem, as these often are internal hostnames with no meaning on the public Internet.

For a complete list of things I do check for, see this answer on spam prevention. On my public mail servers, I never use reject_unknown_helo_hostname even though it's listed as a recommendation there (another user added it).

Answer 3

DO NOT use wholesale hostname rejection unless you plan to reject mail from most all automated systems out there. Yes, it's not entirely RFC-compliant, but no, they won't change it any time soon.

I generally recommend using

reject_unknown_reverse_client_hostname
warn_if_reject reject_unknown_helo_hostname
reject_invalid_helo_hostname

instead; this will log RFC-ignorant EHLO but still let them through.

Especially Exchange machines are notorious for using only the ugly netbios hostname to EHLO.

Answer 4

....Quick and simple: Modify the Hosts file on your local machine. In this case given you would add the following line (using the tab key to create spae between the name and the IP address) to the /etc/hosts file and then save the file.

205.251.128.242 srv1.xbmc.org

Sixhammers