Am 23.12.2014 um 14:32 schrieb James B. Byrne:
We have an smtpd_helo_restriction of reject_unknown_helo_hostname that regularly fails for one of our (very) large correspondents.
you can't use this seriously beause of too many people not able or willing to setup their basic prerequisites for a reliable MTA
and "reject_non_fqdn_helo_hostname" and "reject_invalid_helo_hostname" are the best you can do without support overhead and reject legit mail
As it turns out the reason is quite legitimate, the helo identity fqdn issued from several of their email gateways does not match up to the IP address that they are using. There nothing much one can do about that save exempting their domain in the helo_checks map. However, in tracking this down I discovered that they were using multiple PTR records to reverse map the same IP address back to multiple hosts
that stupidity happens from time to time that ISP's follow customer requests and set "mail.customer.tld" but nit remove their "1.2.3.4-cust.stupid-isp.tld" PTR and so mail becomes a lottery
but this has nothing to do with "reject_unknown_helo_hostname" which only checks if the hostname has a PTR at all and if that is a problem you have enabled some more restriction
you missed to post "postconf -n"