On 14 Jan 2021, at 7:53, Matus UHLAR - fantomas wrote:
On 14.01.21 11:27, Fourhundred Thecat wrote:
lets say a client connects and triggers several errors. For instance:
EHLO asdf
....
mail from: [email protected]
250 2.1.0 Ok
rcpt to: [email protected]
504 5.5.2 <asdf>: Helo command rejected: need fully-qualified
hostname
why did the "Helo command rejected" come not immediately after the
wrong
EHLO ? Why did postfix wait until failed relay, to report ehlo?
to log all parameters, like mail from: and rcpt to:
Helps much when digging logs why was someone's mail refused.
Also, technically, because smtpd_delay_reject is "yes" which is the
default in recent versions of Postfix.
The rationale for smtpd_delay_reject is both to allow for logging of
sender and recipient(s) and to reject mail at a point (RCPT) where all
generally well-behaved senders will recognize it as an unconditional
permanent failure. Historically some MTAs responded to 5xx replies
before RCPT by retrying, which isn't what you want.
And even worse, the client tries to relay mail, but no "relay access
denied" is being logged.
the mail can only be rejected with one error. The first error is used.
I am much more interested in "relay access denied", than non-FQDN
ehlo.
you can disable the helo checks. I don't recommend that.
Rather than disabling helo checks, it is possible to put them in
smtpd_recipient_restrictions or smtpd_relay_restrictions *AFTER* actual
relay restrictions, so that the first error hit is the unauthorized
relay.
Note that because helo checks are usually extremely fast (e.g. checking
a string for a '.') it may be better on extremely performance-sensitive
systems to keep helo checks in smtpd_helo_restrictions so that those
cheap rejections are done without going through the slower work that may
be required for nuanced relay restrictions, such as full-circle DNS
lookups.
I usually allow both relaying and simple helo strings for
authenticated
mail.
Authentication is best reserved for submission services (ports 465 and
587,) not inbound (port 25) SMTP.
--
Bill Cole
[email protected] or [email protected]
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
