Helo rejected

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Helo rejected

Enrico Morelli
Dear,

my user don't receive mail from a real sender cause our mail server
reject the Helo command:

NOQUEUE: reject: RCPT from rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220]: 450 4.7.1
<NTFYOHSrvNLES05.ntfy.local>: Helo command rejected: Host not found; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<NTFYOHSrvNLES05.ntfy.local>
Nov  8 17:55:46 genio postfix/smtpd[3667]: disconnect from rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220] ehlo=1 mail=1
rcpt=0/1 rset=1 quit=1 commands=4/5

Is there a way to receive these mails?

Thanks

--
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: Helo rejected

Dominic Raferd
On 10 November 2017 at 14:08, Enrico Morelli <[hidden email]> wrote:
my user don't receive mail from a real sender cause our mail server
reject the Helo command:

NOQUEUE: reject: RCPT from rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220]: 450 4.7.1
<NTFYOHSrvNLES05.ntfy.local>: Helo command rejected: Host not found; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<NTFYOHSrvNLES05.ntfy.local>
Nov  8 17:55:46 genio postfix/smtpd[3667]: disconnect from rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220] ehlo=1 mail=1
rcpt=0/1 rset=1 quit=1 commands=4/5

Is there a way to receive these mails?

​You may be using this setting ​in one of your restriction lists: reject_unknown_helo_hostname. Remove this and you should be ok. I think there is not much point worrying about helo hostnames, they are easy to fake in any case. Better to focus on client reverse hostnames.
Reply | Threaded
Open this post in threaded view
|

Re: Helo rejected

Matus UHLAR - fantomas
>On 10 November 2017 at 14:08, Enrico Morelli <[hidden email]> wrote:
>> my user don't receive mail from a real sender cause our mail server
>> reject the Helo command:
>>
>> NOQUEUE: reject: RCPT from rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220]:
>> 450 4.7.1
>> <NTFYOHSrvNLES05.ntfy.local>: Helo command rejected: Host not found;
>> from=<[hidden email]> to=<[hidden email]> proto=ESMTP
>> helo=<NTFYOHSrvNLES05.ntfy.local>
>> Nov  8 17:55:46 genio postfix/smtpd[3667]: disconnect from
>> rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220] ehlo=1 mail=1
>> rcpt=0/1 rset=1 quit=1 commands=4/5
>>
>> Is there a way to receive these mails?

On 10.11.17 14:30, Dominic Raferd wrote:
>​You may be using this setting ​in one of your restriction lists:
>reject_unknown_helo_hostname. Remove this and you should be ok. I think
>there is not much point worrying about helo hostnames, they are easy to
>fake in any case.

That's exactly why we block those fake helo hostnames.

you can whitelist particular IP by using "check_client_access" and you most
probably want to have such directive in main.cf.

Enrico:
if possible, try contacting the sender that they are supposed to fix their
helo hostname (you won't be the only one who rejects mail from them).
If not, explain your customer that you have whitelisted the sender's IP and
that the problem is on their side.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
He who laughs last thinks slowest.
Reply | Threaded
Open this post in threaded view
|

Re: Helo rejected

Enrico Morelli
On Fri, 10 Nov 2017 15:42:16 +0100
Matus UHLAR - fantomas <[hidden email]> wrote:

> >On 10 November 2017 at 14:08, Enrico Morelli <[hidden email]>
> >wrote:  
> >> my user don't receive mail from a real sender cause our mail server
> >> reject the Helo command:
> >>
> >> NOQUEUE: reject: RCPT from
> >> rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220]: 450 4.7.1
> >> <NTFYOHSrvNLES05.ntfy.local>: Helo command rejected: Host not
> >> found; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> >> helo=<NTFYOHSrvNLES05.ntfy.local>
> >> Nov  8 17:55:46 genio postfix/smtpd[3667]: disconnect from
> >> rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220] ehlo=1 mail=1
> >> rcpt=0/1 rset=1 quit=1 commands=4/5
> >>
> >> Is there a way to receive these mails?  
>
> On 10.11.17 14:30, Dominic Raferd wrote:
> >​You may be using this setting ​in one of your restriction lists:
> >reject_unknown_helo_hostname. Remove this and you should be ok. I
> >think there is not much point worrying about helo hostnames, they
> >are easy to fake in any case.  
>
> That's exactly why we block those fake helo hostnames.
>
> you can whitelist particular IP by using "check_client_access" and
> you most probably want to have such directive in main.cf.
>

I have a check_sender_access, can I use that?

> Enrico:
> if possible, try contacting the sender that they are supposed to fix
> their helo hostname (you won't be the only one who rejects mail from
> them). If not, explain your customer that you have whitelisted the
> sender's IP and that the problem is on their side.
>

THanks

--
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

RE: Helo rejected

L.P.H. van Belle
In reply to this post by Dominic Raferd

 Local aliases MUST NOT appear in any SMTP transaction.
 
So correctly rejected, imo.
 
just tell the other site the mail manager forgot to set the outgoing smtp connector in exchange.
Happens so often..
 
 
Greetz,
 
Louis
 
 


Van: [hidden email] [mailto:[hidden email]] Namens Dominic Raferd
Verzonden: vrijdag 10 november 2017 15:30
Aan: Postfix users
Onderwerp: Re: Helo rejected

On 10 November 2017 at 14:08, Enrico Morelli <[hidden email]> wrote:
my user don't receive mail from a real sender cause our mail server
reject the Helo command:

NOQUEUE: reject: RCPT from rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220]: 450 4.7.1
<NTFYOHSrvNLES05.ntfy.local>: Helo command rejected: Host not found; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
helo=<NTFYOHSrvNLES05.ntfy.local>
Nov  8 17:55:46 genio postfix/smtpd[3667]: disconnect from rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220] ehlo=1 mail=1
rcpt=0/1 rset=1 quit=1 commands=4/5

Is there a way to receive these mails?

​You may be using this setting ​in one of your restriction lists: reject_unknown_helo_hostname. Remove this and you should be ok. I think there is not much point worrying about helo hostnames, they are easy to fake in any case. Better to focus on client reverse hostnames.
Reply | Threaded
Open this post in threaded view
|

Re: Helo rejected

Matus UHLAR - fantomas
In reply to this post by Enrico Morelli
>> >On 10 November 2017 at 14:08, Enrico Morelli <[hidden email]>
>> >wrote:
>> >> my user don't receive mail from a real sender cause our mail server
>> >> reject the Helo command:
>> >>
>> >> NOQUEUE: reject: RCPT from
>> >> rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220]: 450 4.7.1
>> >> <NTFYOHSrvNLES05.ntfy.local>: Helo command rejected: Host not
>> >> found; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
>> >> helo=<NTFYOHSrvNLES05.ntfy.local>
>> >> Nov  8 17:55:46 genio postfix/smtpd[3667]: disconnect from
>> >> rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220] ehlo=1 mail=1
>> >> rcpt=0/1 rset=1 quit=1 commands=4/5
>> >>
>> >> Is there a way to receive these mails?

>On Fri, 10 Nov 2017 15:42:16 +0100
>Matus UHLAR - fantomas <[hidden email]> wrote:
>> you can whitelist particular IP by using "check_client_access" and
>> you most probably want to have such directive in main.cf.

On 10.11.17 15:45, Enrico Morelli wrote:
>I have a check_sender_access, can I use that?

depends on where you have the reject_unknown_helo_hostname.

client access is evaluated before sender access, so if you have the
reject_unknown_helo_hostname in smtpd_client_restrictions, you must either
use check_client_access or move the reject_unknown_helo_hostname (and
possibly other checks) to check_sender_access.

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Depression is merely anger without enthusiasm.
Reply | Threaded
Open this post in threaded view
|

Re: Helo rejected

Enrico Morelli
On Fri, 10 Nov 2017 16:08:02 +0100
Matus UHLAR - fantomas <[hidden email]> wrote:

> >> >On 10 November 2017 at 14:08, Enrico Morelli
> >> ><[hidden email]> wrote:  
> >> >> my user don't receive mail from a real sender cause our mail
> >> >> server reject the Helo command:
> >> >>
> >> >> NOQUEUE: reject: RCPT from
> >> >> rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220]: 450 4.7.1
> >> >> <NTFYOHSrvNLES05.ntfy.local>: Helo command rejected: Host not
> >> >> found; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> >> >> helo=<NTFYOHSrvNLES05.ntfy.local>
> >> >> Nov  8 17:55:46 genio postfix/smtpd[3667]: disconnect from
> >> >> rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220] ehlo=1 mail=1
> >> >> rcpt=0/1 rset=1 quit=1 commands=4/5
> >> >>
> >> >> Is there a way to receive these mails?  
>
> >On Fri, 10 Nov 2017 15:42:16 +0100
> >Matus UHLAR - fantomas <[hidden email]> wrote:  
> >> you can whitelist particular IP by using "check_client_access" and
> >> you most probably want to have such directive in main.cf.  
>
> On 10.11.17 15:45, Enrico Morelli wrote:
> >I have a check_sender_access, can I use that?  
>
> depends on where you have the reject_unknown_helo_hostname.

I've it under smtpd_helo_restrictions.

>
> client access is evaluated before sender access, so if you have the
> reject_unknown_helo_hostname in smtpd_client_restrictions, you must
> either use check_client_access or move the
> reject_unknown_helo_hostname (and possibly other checks) to
> check_sender_access.
>



--
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: Helo rejected

Matus UHLAR - fantomas
>On Fri, 10 Nov 2017 16:08:02 +0100
>Matus UHLAR - fantomas <[hidden email]> wrote:
>
>> >> >On 10 November 2017 at 14:08, Enrico Morelli
>> >> ><[hidden email]> wrote:
>> >> >> my user don't receive mail from a real sender cause our mail
>> >> >> server reject the Helo command:
>> >> >>
>> >> >> NOQUEUE: reject: RCPT from
>> >> >> rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220]: 450 4.7.1
>> >> >> <NTFYOHSrvNLES05.ntfy.local>: Helo command rejected: Host not
>> >> >> found; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
>> >> >> helo=<NTFYOHSrvNLES05.ntfy.local>
>> >> >> Nov  8 17:55:46 genio postfix/smtpd[3667]: disconnect from
>> >> >> rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220] ehlo=1 mail=1
>> >> >> rcpt=0/1 rset=1 quit=1 commands=4/5
>> >> >>
>> >> >> Is there a way to receive these mails?
>>
>> >On Fri, 10 Nov 2017 15:42:16 +0100
>> >Matus UHLAR - fantomas <[hidden email]> wrote:
>> >> you can whitelist particular IP by using "check_client_access" and
>> >> you most probably want to have such directive in main.cf.
>>
>> On 10.11.17 15:45, Enrico Morelli wrote:
>> >I have a check_sender_access, can I use that?
>>
>> depends on where you have the reject_unknown_helo_hostname.

On 10.11.17 16:12, Enrico Morelli wrote:
>I've it under smtpd_helo_restrictions.

this is evaluated after client and before restrictions -
you must whitelist it before.

>> client access is evaluated before sender access, so if you have the
>> reject_unknown_helo_hostname in smtpd_client_restrictions, you must
>> either use check_client_access or move the
>> reject_unknown_helo_hostname (and possibly other checks) to
>> check_sender_access.


--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Eagles may soar, but weasels don't get sucked into jet engines.
Reply | Threaded
Open this post in threaded view
|

Re: Helo rejected

Enrico Morelli
On Fri, 10 Nov 2017 16:24:10 +0100
Matus UHLAR - fantomas <[hidden email]> wrote:

> >On Fri, 10 Nov 2017 16:08:02 +0100
> >Matus UHLAR - fantomas <[hidden email]> wrote:
> >  
> >> >> >On 10 November 2017 at 14:08, Enrico Morelli
> >> >> ><[hidden email]> wrote:  
> >> >> >> my user don't receive mail from a real sender cause our mail
> >> >> >> server reject the Helo command:
> >> >> >>
> >> >> >> NOQUEUE: reject: RCPT from
> >> >> >> rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220]: 450 4.7.1
> >> >> >> <NTFYOHSrvNLES05.ntfy.local>: Helo command rejected: Host not
> >> >> >> found; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
> >> >> >> helo=<NTFYOHSrvNLES05.ntfy.local>
> >> >> >> Nov  8 17:55:46 genio postfix/smtpd[3667]: disconnect from
> >> >> >> rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220] ehlo=1
> >> >> >> mail=1 rcpt=0/1 rset=1 quit=1 commands=4/5
> >> >> >>
> >> >> >> Is there a way to receive these mails?  
> >>  
> >> >On Fri, 10 Nov 2017 15:42:16 +0100
> >> >Matus UHLAR - fantomas <[hidden email]> wrote:  
> >> >> you can whitelist particular IP by using "check_client_access"
> >> >> and you most probably want to have such directive in main.cf.  
> >>
> >> On 10.11.17 15:45, Enrico Morelli wrote:  
> >> >I have a check_sender_access, can I use that?  
> >>
> >> depends on where you have the reject_unknown_helo_hostname.  
>
> On 10.11.17 16:12, Enrico Morelli wrote:
> >I've it under smtpd_helo_restrictions.  
>
> this is evaluated after client and before restrictions -
> you must whitelist it before.

To better understand, have I to put check_client_access here?

smtpd_helo_restrictions = permit_mynetworks,
        permit_sasl_authenticated,
        check_client_access hash:/etc/postfix/client_access,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
        reject_unknown_helo_hostname


>
> >> client access is evaluated before sender access, so if you have the
> >> reject_unknown_helo_hostname in smtpd_client_restrictions, you must
> >> either use check_client_access or move the
> >> reject_unknown_helo_hostname (and possibly other checks) to
> >> check_sender_access.  
>
>



--
-----------------------------------------------------------
  Enrico Morelli
  System Administrator | Programmer | Web Developer

  CERM - Polo Scientifico
  via Sacconi, 6 - 50019 Sesto Fiorentino (FI) - ITALY
------------------------------------------------------------
Reply | Threaded
Open this post in threaded view
|

Re: Helo rejected

/dev/rob0
In reply to this post by Matus UHLAR - fantomas
On Fri, Nov 10, 2017 at 04:08:02PM +0100, Matus UHLAR - fantomas wrote:

> > > >On 10 November 2017 at 14:08, Enrico Morelli
> > > ><[hidden email]> wrote:
> > > >> my user don't receive mail from a real sender cause our
> > > >> mail server reject the Helo command:
> > > >>
> > > >> NOQUEUE: reject: RCPT from
> > > >> rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220]: 450
> > > >> 4.7.1 <NTFYOHSrvNLES05.ntfy.local>: Helo command rejected:
> > > >> Host not found; from=<[hidden email]> to=<[hidden email]>
> > > >> proto=ESMTP helo=<NTFYOHSrvNLES05.ntfy.local>
> > > >> Nov 8 17:55:46 genio postfix/smtpd[3667]: disconnect from
> > > >> rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220] ehlo=1
> > > >> mail=1 rcpt=0/1 rset=1 quit=1 commands=4/5
> > > >>
> > > >> Is there a way to receive these mails?
>
> > On Fri, 10 Nov 2017 15:42:16 +0100
> > Matus UHLAR - fantomas <[hidden email]> wrote:
> > > you can whitelist particular IP by using "check_client_access"
> > > and you most probably want to have such directive in main.cf.
>
> On 10.11.17 15:45, Enrico Morelli wrote:
> > I have a check_sender_access, can I use that?
>
> depends on where you have the reject_unknown_helo_hostname.

Well, mainly no.  A check_sender_access looks up the SENDER address
("MAIL FROM <sender@address>"), and that is generally a bad idea,
both for whitelisting and blacklisting.  Do not do that unless there
would be no other option.

> client access is evaluated before sender access, so if you have the

No.  ANY access(5) lookup takes place exactly when you specify that
restriction.  You cannot say this categorically.  It is quite
possible to mix restrictions such that "earlier" SMTP parts are
checked after RCPT TO, or even after DATA.

> reject_unknown_helo_hostname in smtpd_client_restrictions, you
> must either use check_client_access or move the
> reject_unknown_helo_hostname (and possibly other checks) to
> check_sender_access.

Much is confused in this sentence.

You can do check_mumble_access in pretty much any of the smtpd
restrictions stages.

The OP needs to do a CLIENT access lookup, but that lookup must
precede the reject_unknown_helo_hostname restriction in whichever
restriction stage it is being used.

Many users find it easier to put all restrictions in a single stage,
so everything can be seen in a linear way.  For more details and
exceptions,

http:://www.postfix.org/SMTPD_ACCESS_README.html
--
  http://rob0.nodns4.us/
  Offlist GMX mail is seen only if "/dev/rob0" is in the Subject:
Reply | Threaded
Open this post in threaded view
|

Re: Helo rejected

Matus UHLAR - fantomas
In reply to this post by Enrico Morelli
>> >> >> >On 10 November 2017 at 14:08, Enrico Morelli
>> >> >> ><[hidden email]> wrote:
>> >> >> >> my user don't receive mail from a real sender cause our mail
>> >> >> >> server reject the Helo command:
>> >> >> >>
>> >> >> >> NOQUEUE: reject: RCPT from
>> >> >> >> rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220]: 450 4.7.1
>> >> >> >> <NTFYOHSrvNLES05.ntfy.local>: Helo command rejected: Host not
>> >> >> >> found; from=<[hidden email]> to=<[hidden email]> proto=ESMTP
>> >> >> >> helo=<NTFYOHSrvNLES05.ntfy.local>
>> >> >> >> Nov  8 17:55:46 genio postfix/smtpd[3667]: disconnect from
>> >> >> >> rrcs-70-60-37-220.central.biz.rr.com[70.60.37.220] ehlo=1
>> >> >> >> mail=1 rcpt=0/1 rset=1 quit=1 commands=4/5
>> >> >> >>
>> >> >> >> Is there a way to receive these mails?
>> >>
>> >> >On Fri, 10 Nov 2017 15:42:16 +0100
>> >> >Matus UHLAR - fantomas <[hidden email]> wrote:
>> >> >> you can whitelist particular IP by using "check_client_access"
>> >> >> and you most probably want to have such directive in main.cf.

On 10.11.17 16:37, Enrico Morelli wrote:
>To better understand, have I to put check_client_access here?
>
>smtpd_helo_restrictions = permit_mynetworks,
>        permit_sasl_authenticated,
> check_client_access hash:/etc/postfix/client_access,
>        reject_invalid_helo_hostname,
>        reject_non_fqdn_helo_hostname,
>        reject_unknown_helo_hostname

yes, that's good way where to put it.

Note that if you have any directives in smtpd_client_restrictions as
blackliets etc, you can put check_client_access before those, so you can
whitelist multiple reasons at once

--
Matus UHLAR - fantomas, [hidden email] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
The early bird may get the worm, but the second mouse gets the cheese.