On Fri, Dec 23, 2022 at 09:51:48AM +0400, Samer Afach <samer.af...@msn.com> wrote:
> I see. Thank you for the explanation. So the right way to state this is that > HELO/EHLO requires a valid FQDN/hostname only for MTAs, and for MUAs it's > just ignored because authentication is what matters. > > Cheers, > Sam It's only ignored when configured to be ignored. The way that the difference between port 25 and port 587 is implemented is that main.cf has settings for smtpd_*_restrictions that are used for MTA-to-MTA traffic on port 25, e.g.: /etc/postfix/main.cf: smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:/etc/postfix/helo-access reject_invalid_helo_hostname reject_non_fqdn_helo_hostname # The following is unwise without the check_helo_access # above and constant monitoring for false positives. reject_unknown_helo_hostname permit And then master.cf contains services with overrides to the settings in main.cf, and the overrides apply to the particular service, e.g. for port 587: /etc/postfix/master.cf: submission inet n - y - - smtpd -o syslog_name=postfix/$service_name -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_tls_auth_only=yes -o smtpd_reject_unlisted_recipient=no -o smtpd_client_restrictions= -o smtpd_helo_restrictions= -o smtpd_sender_restrictions= -o smtpd_recipient_restrictions= -o smtpd_relay_restrictions=permit_sasl_authenticated,reject The above submission service contains smtpd_helo_restrictions= which replaces the smtpd_helo_restrictions setting in main.cf but only for connections that come in via port 587 which, thanks to the overriding smtpd_tls_security_level=encrypt must be encrypted, and thanks to the overriding smtpd_relay_restrictions setting, must be SASL-authenticated. cheers, raf