Correct FQDN Setting

smtpwindows-server-2008

I can see from SMTP logs that some mail is being rejected

OutboundConnectionResponse SMTPSVC1 Sxxx – 25 – –
504+:+Helo+command+rejected:+need+fully-qualified+hostname 0 0
69 0 47 SMTP

In IIS6 > SMTP > Delivery > Advanced
I can see that the FQDN is set to the server name 'Sxxx'

This server hosts lots of different websites on different domains so I am not sure what this FQDN actually refers to? The server has no domain name of it's own, just IP addresses. The websites all have different domain names, so which one to choose.

As SMTP (AFAIK) just shunts out messages it has no real 'identity' itself: it's just given an email, looks at the recipient domain, finds the associated mx record and server and tries to pass the file/email to that server. Is my understanding here correct? If so, what should I do to provide a FQDN.

EDIT: just realised that the websites that send emails specify an actual external mail server, not localhost, so presumably they connect to the local SMTP service which passes the mail onto the specified external mail server (or does it bypass the local SMTP server completely and connect directly to the external mail server?) and it is that which actually sends the mail to the recipient (I'm missing some fundamental concepts here, I know) – so maybe the SMTP FQDN should be that of the external mail server?

Best Answer

The FQDN value found under Delivery -> Advanced in the SMTP server properties is the domain name that the SMTP Server uses when it has to identify itself to other mail servers.

Most receiving MTA's will try to validate this identity by performing a reverse DNS lookup for the IP address of your sending server, so make sure the FQDN you input is also present in the PTR record for the public IP address of your server:

If you use the FQDN mailserver01.neilthompson.tld and your IP address is 1.2.3.4, make sure that the PTR record at 4.3.2.1.in-addr.arpa has a value of mailserver01.neilthompson.tld. Your ISP should be able to help you with this if you don't have authority of your own reverse zones

Related Solutions

Linux – How to correct Postfix’ ‘Relay Access Denied’

TLS just enables encryption on the smtp session and doesn't directly affect whether or not Postfix will be allowed to relay a message.

The relaying denied message occurs because the smtpd_recipient_restrictions rules was not matched. One of those conditions must be fulfilled to allow the message to go through:

smtpd_recipient_restrictions =
    permit_sasl_authenticated
    check_recipient_access hash:/etc/postfix/filtered_domains
    permit_mynetworks
    reject_unauth_destination

To explain those rules:

permit_sasl_authenticated

permits authenticated senders through SASL. This will be necessary to authenticate users outside of your network which are normally blocked.

check_recipient_access

This will cause postfix to look in /etc/postfix/filtered_domains for rules based on the recipient address. (Judging by the file name on the file name, it is probably just blocking specific domains... Check to see if gmail.com is listed in there?)

permit_mynetworks

This will permit hosts by IP address that match IP ranges specified in $mynetworks. In the main.cf you posted, $mynetworks was set to 127.0.0.1, so it will only relay emails generated by the server itself.

Based on that configuration, your mail client will need to use SMTP Authentication before being allowed to relay messages. I'm not sure what database SASL is using. That is specified in /usr/lib/sasl2/smtpd.conf Presumably it also uses the same database as your virtual mailboxes, so you should be able enable SMTP authentication in your mail client and be all set.

550 Invalid HELO/EHLO must contain a FQDN or IPv6

If the FQDN of the server itself is something to the effect of "server.domain.local" (meaning it's only valid on your internal network), and the receiving server performs a rDNS or SPF check against the incoming email, it may continue to block the email. The way to overcome this is to set the outgoing FQDN on your server in the properties of the SMTP virtual server to something that is going to be valid externally, such as "mail.domain.com". Make sure to set up a rDNS and SPF record as well as an A record for this server in your external DNS forward and lookup zones (you will need to get your ISP to set up the rDNS record for you).

Best Answer

Related Solutions

Linux – How to correct Postfix’ ‘Relay Access Denied’

550 Invalid HELO/EHLO must contain a FQDN or IPv6

Related Topic