smtpd_helo_restrictions = …, reject_unknown_helo_hostname occasionally rejects mail I care about, how to handle?

lkraav asked:

I have configured my postfix as follows:

smtpd_helo_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_helo_hostname

This is working well because most spambots don’t seem to have correct reverse lookups. But every once in a while I run into mail I care about getting reject, because the mail source server admin doesn’t care about configuring his server correctly.

For example here the server introduces itself as “srv1.xbmc.org” which has no DNS record and fails my basic check.

Jan  6 04:42:36 mail postfix/smtpd[660]: connect from xbmc.org[205.251.128.242]
Jan  6 04:42:37 mail postfix/smtpd[660]: NOQUEUE: reject: RCPT from xbmc.org[205.251.128.242]: 450 4.7.1 <srv1.xbmc.org>: Helo command rejected: Host not found; from=<www-data@xbmc.org> to=<leho@domain.com> proto=ESMTP helo=<srv1.xbmc.org>

I have tried to contact the server admin several times, but there is no response. What is the optimal way to handle this from my side? Is adding these “special” hosts to mynetworks = my only option? Is perhaps my whole smtpd_helo_restrictions setup wrong in some significant way?

My answer:


As you noted, there is no forward DNS entry for the hostname given by the remote mail server.

$ host srv1.xbmc.org
Host srv1.xbmc.org not found: 3(NXDOMAIN)

This isn’t a significant problem, as these often are internal hostnames with no meaning on the public Internet.

For a complete list of things I do check for, see this answer on spam prevention. On my public mail servers, I never use reject_unknown_helo_hostname even though it’s listed as a recommendation there (another user added it).


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.