Re: are my helo restrictions too strict ?

Sat, 04 Dec 2021 16:39:13 -0800 

On Fri, Dec 03, 2021 at 11:08:52AM +0100, Jaroslaw Rafa <r...@rafa.eu.org> 
wrote:

> Dnia  3.12.2021 o godz. 09:14:23 Fourhundred Thecat pisze:
> > Hello,
> > 
> > I have strict helo checks:
> > 
> >   smtpd_helo_required     = yes
> >   smtpd_helo_restrictions = reject_non_fqdn_helo_hostname,
> >                             reject_invalid_helo_hostname,
> >                             reject_unknown_helo_hostname
> > 
> > now I have noticed mails being rejected:
> > 
> >   Helo command rejected: Host not found
> > 
> >   warning: hostname mail-eopbgr80085.outbound.protection.outlook.com
> > does not resolve to address 40.107.8.85: Name or service not known
> 
> reject_unknown_helo_hostname is known to produce quite a lot of false
> positives, and it is not recommended to use this restriction.
> -- 
> Regards,
>    Jaroslaw Rafa
>    r...@rafa.eu.org

If you do want to use it, you can add exceptions for any
false positives that you care about. You can change it to
this:

  /etc/postfix/main.cf:
  smtpd_helo_restrictions =
    check_helo_access hash:/etc/postfix/helo-access
    reject_non_fqdn_helo_hostname,
    reject_invalid_helo_hostname,
    reject_unknown_helo_hostname

  /etc/postfix/helo-access:
  .outbound.protection.outlook.com OK

I also have permit_mynetworks and permit_sasl_authenticated
at the start of smtpd_helo_restrictions.

See http://www.postfix.org/postconf.5.html#smtpd_helo_restrictions
and http://www.postfix.org/access.5.html for details. Don't forget
to run "postmap hash:/etc/postfix/helo-access" whenever you change
the helo-access file.

Another good candidate for the helo-access file is
".outbound-mail.sendgrid.net".

It's a good idea to keep an eye on the false positives. You can regularly
run a script to scan the logs and show the relevant information.
I use something like this:

  #!/usr/bin/env perl
  use warnings;
  use strict;

  # chkhelo - Scan maillogs to check for reject_unknown_helo_hostname related 
errors

  @ARGV = ('/var/log/mail.log.1', '/var/log/mail.log') unless @ARGV;
  my $prev_date = '';

  while (<>)
  {
      next unless /Helo command rejected: Host not found/;
      my ($date) = $_ =~ /^(\w+\s{1,2}\d{1,2})\s/;
      print("$date:\n"), $prev_date = $date unless $date eq $prev_date;
      my ($from, $to, $helo) = $_ =~ 
/from=<([^>]*)>.*to=<([^>]*)>.*helo=<([^>]*)>/;
      printf("helo=%-40s to=%-30s from=%s\n", $helo, $to, $from);
  }

cheers,
raf

Reply via email to