On 12/3/2015 5:01 PM, Thomas Nagel wrote: > Hi, > > we implemented a smtpd_helo_restrictions check with this configuration: > > smtpd_helo_restrictions = > permit_mynetworks, > permit_sasl_authenticated, > # check_client_access hash:/etc/postfix/ > check_helo_access hash:/etc/postfix/check_helo_access > reject_invalid_helo_hostname > # reject_non_fqdn_helo_hostname > # reject_invalid_helo_hostname > reject_unknown_helo_hostname > > when implemting this, we had some problems with some sending > mailservers that used HELOs which hat invalid or unknown HELOs - but > needed to be let through - so we populated a whitelist. Since then - > once a month a customer complains about not getting a mail from an > external sender - we look those HELOs up in the log file and put it > in the whitelist and inform the postmaster of the sending server > about the configuration failure. > > Spam has reduced a lot since this measure. > > But: since we only have reject_unknown_helo_hostname - there we send > only temp (450) errors back even for adresses that don't even exist. > How can we cope with this? > Is it okay to change the error code in unknown_hostname_reject_code > from the default (450) to some permanent 5xx code? In the manual it > says "Do not change this unless you have a complete understanding of > RFC 2821." - so I am careful and ask for help.
If you're reasonably sure that rule isn't rejecting too much legit mail, you can change the reject code to 550. Note that reject_unknown_helo_hostname is known to reject otherwise legit mail from misconfigured sites -- occasionally including big well known providers -- and many admins find the false positive rate uncomfortably high. But you can make that decision for yourself. > > There are some servers that try and keep sending mail to non > existent adresses - I think it has something today with the temp > error code they are getting. Most likely. You can add the "reject_unlisted_recipient" rule somewhere above the reject_unknown_helo_hostname to reject non-existent recipients earlier. http://www.postfix.org/postconf.5.html#reject_unlisted_recipient -- Noel Jones
