Hello,
Earlier this year I split submissions from inbound smtp.
This has yielded a great improvement in authenticating users and
allowing more aggressive smtp rejection.
However I had trouble for the first time today configuring a client
for the submission port. Mail from this client is rejected with:
Oct 21 13:11:31 atom postfix/smtpd[8849]: NOQUEUE: reject: RCPT from xxxxx[aa.bb.cc.dd]: 504 5.5.2 <johnealaptop>: Helo command rejected: need fully-qualified hostname;
from=<outl...@telco-op.org> to=<m...@johnea.net> proto=ESMTP helo=<johnealaptop>
I was under the impression that the -o options specified for submission
in the master.cf file superseded the general options specified in main.cf
(hey, I'm an EE, no one ever taught me how to do this stuff)
FQDN HELO is required in the main.cf but I believed that the delayed
evaluation would allow the sasl authentication specified for submission.
This is the helo restrictions section of the main.cf:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
disable_vrfy_command = yes
smtpd_helo_required = yes
smtpd_helo_restrictions =
permit_mynetworks,
reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
reject_unknown_helo_hostname,
permit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I will happily supply the whole file if this is not enough.
This is the complete master.cf file:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#
# Postfix master process configuration file. For details on the format
# of the file, see the master(5) manual page (command: "man 5 master").
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type private unpriv chroot wakeup maxproc command + args
# (yes) (yes) (yes) (never) (100)
# ==========================================================================
smtp inet n - n - - smtpd
submission inet n - n - - smtpd
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
-o milter_macro_daemon_name=ORIGINATING
#smtps inet n - n - - smtpd
# -o smtpd_tls_wrappermode=yes
# -o smtpd_sasl_auth_enable=yes
# -o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
#628 inet n - n - - qmqpd
pickup fifo n - n 60 1 pickup
cleanup unix n - n - 0 cleanup
qmgr fifo n - n 300 1 qmgr
#qmgr fifo n - n 300 1 oqmgr
tlsmgr unix - - n 1000? 1 tlsmgr
rewrite unix - - n - - trivial-rewrite
bounce unix - - n - 0 bounce
defer unix - - n - 0 bounce
trace unix - - n - 0 bounce
verify unix - - n - 1 verify
flush unix n - n 1000? 0 flush
proxymap unix - - n - - proxymap
proxywrite unix - - n - 1 proxymap
smtp unix - - n - - smtp
# When relaying mail as backup MX, disable fallback_relay to avoid MX loops
relay unix - - n - - smtp
-o smtp_fallback_relay=
# -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq unix n - n - - showq
error unix - - n - - error
retry unix - - n - - error
discard unix - - n - - discard
local unix - n n - - local
virtual unix - n n - - virtual
lmtp unix - - n - - lmtp
anvil unix - - n - 1 anvil
scache unix - - n - 1 scache
# add policy line for spf -jea 2009-07-07
policy unix - n n - - spawn
user=nobody argv=/usr/local/sbin/postfix-policyd-spf
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Should I move the main.cf helo restrictions into recipient restrictions?
Or maybe just specify a blank helo restrictions line for submission in
the master.cf?
Thank You Very Much for sharing your expertise!
johnea