helo command rejected

Discussion in 'General' started by nhybgtvfr, Dec 7, 2020.

  1. nhybgtvfr

    nhybgtvfr Active Member

    this is pretty much pure postfix rather than ispconfig. but since the server is configured with whatever default settings ispconfig puts in main.cf, i figured i'd ask here.
    we have a mail client, whose externally hosted site also uses another provider to manage bookings, which sends mail to the client, i'm not sure what domain it's trying to send those mails as, the 3rd party providers own domain or the clients domain.
    but it's using mandrill#.secure-booking-email.net for the helo command when connecting to our server, where the # can be any number.
    our mail server is running on ispconfig3.2.1, so it's running all the helo verification checks:

    smtpd_helo_required = yes
    smtpd_helo_restrictions = reject_invalid_helo_hostname, permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, check_helo_access regexp:/e
    tc/postfix/blacklist_helo, ,reject_unknown_helo_hostname, permit
    running nslookup, or dig -x, directly on the mailserver that's rejecting these connections, the mandrill hosts appear to have valid PTR records, but no valid A record.

    the client has contacted them, and they're blaming my servers. stating:

    which is just plain weird considering it's their server trying to connect to ours. so their the ones supposed to be providing the HELO greeting.

    these are important emails for the client, so he needs them working asap, and it looks like it's going to take a while to resolve.
    in the meantime i thought i'd try adding the hosts into helo_access and try to whitelist them
    anyway, i've tried adding the hostname(s) to the helo_access file, but that doesn't seem to work either. i've found answers saying to use ACCEPT, PERMIT, or OK, so i have no idea which one is correct, or if any will work.

    i've put 3 entries in helo_access, using /^mandrill*\.secure-booking-email\.net$/ and ending in OK, PERMIT, and ACCEPT. and it still gets rejected. how can i allow servers using this helo domain to connect without opening up helo to every misconfigured server out there?
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Use DUNNO as the response, I think OK may be ignored there because it's easily spoofable and bypasses lots of other checks.
  3. nhybgtvfr

    nhybgtvfr Active Member

    i changed (simplified) the regex, just using '/(.*)\.secure-booking-email\.net$/ OK' now as i don't know how many mandrill## servers they have. i tried it with DUNNO, but it was still getting rejected, with OK it still gives warnings that the hostname doesn't resolve to the address it's connecting from, but the mail is at least making it through.

    would still be nicer if the sending org would sort out their configuration though... :mad:

Share This Page