[Samba] Helo Checks not always working?
L.P.H. van Belle
belle at bazuin.nl
Thu Jan 7 13:50:32 UTC 2016
All i have is :
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated
I disabled the unknown restriction due to lots of customers of me are missing PTR records, which needs to be set bij the internet provider.
So they got blocked, i had to remove these.
The Helo check is often on the IT department can adjust them selfs.
And most spammers have incorrect helo’s also.
Van: Thomas Nagel [mailto:tn-postfix at saarcube.de]
Verzonden: donderdag 7 januari 2016 14:40
Aan: L.P.H. van Belle
Onderwerp: Re: Helo Checks not always working?
thank you - that makes a lot of sense - but you can't tell from the logfile ...
is it ok to put in these or is it breaking something? I would think that I need at least permit_mynetworks & permit_sasl_authenticated in the smtpd_client_restrictions or do these permits permit and therby skip all other checks? Like smtpd_recipient and smtpd_sender?
Am 07.01.2016 um 14:35 schrieb L.P.H. van Belle:
These are 2 different things.
Unknow hostname is a missing PTR record
For that you can use :
smtpd_client_restrictions = ...
"unknown" is also the name in the case of a temporary dns lookup failure. so using 5xx for all "unknown" is not a good idea.
# reject_unknown_client_hostname: requires that the address->name and name->address mappings exist, but also that the two mappings reproduce the client IP address
# reject_unknown_reverse_client_hostname: Reject the request when the client IP address has no address->name mapping. This is a weaker restriction than the reject_unknown_client_hostname
> -----Oorspronkelijk bericht-----
> Van: tn-postfix at saarcube.de [mailto:owner-postfix-users at postfix.org]
> Namens Thomas Nagel
> Verzonden: donderdag 7 januari 2016 14:18
> Aan: Postfix users
> Onderwerp: Helo Checks not always working?
> we encountered a strange behaviour.
> We enabled smtp_helo_restrictions:
> smtpd_helo_required = yes
> smtpd_helo_restrictions =
> # check_client_access hash:/etc/postfix/
> check_helo_access hash:/etc/postfix/check_helo_access
> unknown_hostname_reject_code = 550
> in the "check_helo_access" map there are only certain senders with their
> special invalid HELOs whitelisted, but no "unknown" or the mentioned IP
> Most of the time connectors with invalid DNS Records are blocked like
> Jan 3 06:36:21 server postfix/smtpd: connect from
> Jan 3 06:36:22 server postfix/smtpd: NOQUEUE: reject: RCPT from
> unknown[188.8.131.52]: 504 5.5.2 <184.108.40.206>: Helo command
> rejected: need fully-qualified hostname; from=<>
> to=<example at example.com> proto=SMTP helo=<220.127.116.11>
> - but sometimes we see this:
> Jan 5 16:43:30 server postfix/smtpd: connect from
> Jan 5 16:43:30 server postgrey: action=pass, reason=recipient
> whitelist, client_name=unknown, client_address=18.104.22.168,
> sender=info at gmail.com, recipient=info at example.com
> Jan 5 16:43:30 server postfix/smtpd: B064010A1B5E:
> Jan 5 16:43:30 server postfix/cleanup: B064010A1B5E:
> message-id=<20160105094329.FAB7FFC87CC25243 at gmail.com>
> Jan 5 16:43:30 server postfix/qmgr: B064010A1B5E:
> from=<info at gmail.com>, size=2536, nrcpt=1 (queue active)
> Jan 5 16:43:30 server postfix/smtpd: disconnect from
> Shouldn't this be blocked when the helo restrictions are applied? So the
> mail shouldn't actually be passed on?
More information about the samba