Helo issue

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Helo issue

Kevin Miller
We have a vendor that is setting up a web page on an IIS server which will email folks when they purchase an item off of it.  I'm not sure what they use for a submission agent - I believe it's something they developed in-house.  The technician I'm working with isn't a programmer and doesn't really understand the ins and outs of email and doesn't know if they can change their code or not.  The issue I'm running into is we have reject_non_fqdn_helo_hostname enabled on the mx host they connect to, which returns:
 "504 5.5.2 <eagle-store>: Helo command rejected: need fully-qualified hostname;...helo=<eagle-store>"

I don't want to turn off reject_non_fqdn_helo_hostname but they're not sure if they can change the EHLO name.  I'm not sure where it's picking that up from, probably the hostname. Obviously it isn't hard coded into their source code.  We can't change the hostname, as the external domain it sends from is different than the internal domain.

If they can't figure out how to set it to a FQDN, is there an easy way to override reject_non_fqdn_helo_hostname for just that one host?  I added the smtpd_helo_restrictions stanza this morning but to no avail.  The IP address of the sending host is in "mynetworks".  It's also in the cbj_client_access file with an "OK".


smtpd_relay_restrictions = permit_mynetworks, reject_unauth_destination

smtpd_data_restrictions = reject_unauth_pipelining

smtpd_helo_restrictions = permit_mynetworks
                          reject_non_fqdn_helo_hostname
                          reject_invalid_helo_hostname

smtpd_recipient_restrictions = permit_inet_interfaces
                               permit_sasl_authenticated
                               reject_unknown_sender_domain
                               reject_non_fqdn_sender
                               reject_non_fqdn_recipient
                               reject_unauth_pipelining
                               reject_invalid_hostname
                               reject_non_fqdn_hostname
                               reject_unknown_recipient_domain
                               check_sender_access hash:/etc/postfix/cbj_sender_access
                               check_client_access hash:/etc/postfix/cbj_client_access
                               check_policy_service unix:private/policyd-spf
                               permit_dnswl_client list.dnswl.org
                               reject_rbl_client dnsbl.sorbs.net
                               reject_rbl_client b.barracudacentral.org
                               reject_rbl_client zen.spamhaus.org
                               check_policy_service inet:127.0.0.1:10023

smtpd_client_restrictions = reject_unknown_reverse_client_hostname

Thanks...

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357


Reply | Threaded
Open this post in threaded view
|

Re: Helo issue

Viktor Dukhovni
On Mon, Aug 14, 2017 at 10:41:05PM +0000, Kevin Miller wrote:

> smtpd_helo_restrictions = permit_mynetworks
>                           reject_non_fqdn_helo_hostname
>                           reject_invalid_helo_hostname

This would be a complete solution, but ...

> smtpd_recipient_restrictions = permit_inet_interfaces
>                                permit_sasl_authenticated
>                                reject_unknown_sender_domain
>                                reject_non_fqdn_sender
>                                reject_non_fqdn_recipient
>                                reject_unauth_pipelining
>                                reject_invalid_hostname
>                                reject_non_fqdn_hostname
>                                ...

From the postconf(5) manpage:

       reject_non_fqdn_helo_hostname (with Postfix < 2.3: reject_non_fqdn_hostname)

              Reject the request when the HELO or EHLO hostname is not in
              fully-qualified domain or address literal form, as required by
              the RFC. Note: specify "smtpd_helo_required = yes" to fully
              enforce this restriction (without "smtpd_helo_required = yes", a
              client can simply skip reject_non_fqdn_helo_hostname by not
              sending HELO or EHLO).
              The non_fqdn_reject_code parameter specifies the response code
              for rejected requests (default: 504).

The legacy "reject_non_fqdn_hostname" is a synonym for the now preferred
(less confusing) reject_non_fqdn_helo_hostname.  Remove this from the
recipient restrictions, as you already have it it helo restrictions.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

RE: Helo issue

Kevin Miller
Perfect - a minor tweak and it worked as advertised.

Thanks much Victor!

...Kevin
--
Kevin Miller
Network/email Administrator, CBJ MIS Dept.
155 South Seward Street
Juneau, Alaska 99801
Phone: (907) 586-0242, Fax: (907) 586-4588 Registered Linux User No: 307357


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Viktor Dukhovni
Sent: Monday, August 14, 2017 2:52 PM
To: [hidden email]
Subject: Re: Helo issue

On Mon, Aug 14, 2017 at 10:41:05PM +0000, Kevin Miller wrote:

> smtpd_helo_restrictions = permit_mynetworks
>                           reject_non_fqdn_helo_hostname
>                           reject_invalid_helo_hostname

This would be a complete solution, but ...

> smtpd_recipient_restrictions = permit_inet_interfaces
>                                permit_sasl_authenticated
>                                reject_unknown_sender_domain
>                                reject_non_fqdn_sender
>                                reject_non_fqdn_recipient
>                                reject_unauth_pipelining
>                                reject_invalid_hostname
>                                reject_non_fqdn_hostname
>                                ...

From the postconf(5) manpage:

       reject_non_fqdn_helo_hostname (with Postfix < 2.3: reject_non_fqdn_hostname)

              Reject the request when the HELO or EHLO hostname is not in
              fully-qualified domain or address literal form, as required by
              the RFC. Note: specify "smtpd_helo_required = yes" to fully
              enforce this restriction (without "smtpd_helo_required = yes", a
              client can simply skip reject_non_fqdn_helo_hostname by not
              sending HELO or EHLO).
              The non_fqdn_reject_code parameter specifies the response code
              for rejected requests (default: 504).

The legacy "reject_non_fqdn_hostname" is a synonym for the now preferred (less confusing) reject_non_fqdn_helo_hostname.  Remove this from the recipient restrictions, as you already have it it helo restrictions.

--
        Viktor.