Postfix: Recipient address rejected: Invalid HELO/EHLO

email-serveroutlookoutlook-2007postfix

The problem seems to be the MS Outlook 2007 not sending SMTP AUTH for some strange reason for only one specific domain.

I run iRedMail server (it's using stock debian 7/wheezy, postfix 2.9.6-2) for my domain and few dozens of client domains.
The problem is I have a client unable to send email to myself (not just my email but the whole domain) – it gets rejected due reject_non_fqdn_helo_hostname but the client is using SMTP AUTH and has it correctly set, so it should bypass the FQDN check. It just looks like the MUA is not using SMTP AUTH only for my and my coleaques email addresses.

Has anyone seen this before? How can I workaround this problem? Any input is highly appreciated!

Could it be it's connected to MUA? She is using Outlook (not Express)?

Have a look on following snips of logs showing different situations. All was catched in the same configuration/same MUA/IP's, …:

1) this is OK: My client sends email to third party server; using SMTP AUTH

May 28 13:02:13 email2 postfix/smtpd[1191]: connect from <censored>
May 28 13:02:13 email2 postfix/smtpd[1191]: 28A5D35E61DC: client=<censored>, sasl_method=LOGIN, sasl_username=<client1@1.example.com>
May 28 13:02:26 email2 postfix/cleanup[1435]: 28A5D35E61DC: message-id=<006c01ce5b92$d33805e0$79a811a0$@cz>
May 28 13:02:44 email2 postfix/qmgr[376]: 28A5D35E61DC: from=<client1@1.example.com>, size=4392922, nrcpt=7 (queue active)
May 28 13:02:44 email2 postfix/smtp[1580]: 28A5D35E61DC: to=<someone@thirdparty.example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=32, delays=31/0/0/0.88, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B061435E61DE)
May 28 13:02:47 email2 postfix/qmgr[376]: 28A5D35E61DC: removed

2) this is OK:
My client sends email to local account (hers coleque); she is using SMTP AUTH

May 28 13:06:18 email2 postfix/smtpd[2519]: connect from <censored>
May 28 13:06:18 email2 postfix/smtpd[2519]: 49CE735E61D4: client=<censored>, sasl_method=LOGIN, sasl_username=<client1@1.example.com>
May 28 13:06:18 email2 postfix/cleanup[429]: 49CE735E61D4: message-id=<007201ce5b93$5df069c0$19d13d40$@cz>
May 28 13:06:19 email2 postfix/qmgr[376]: 49CE735E61D4: from=<client1@1.example.com>, size=10875, nrcpt=1 (queue active)
May 28 13:06:19 email2 postfix/smtp[2295]: 49CE735E61D4: to=<client2@1.example.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=1.6, delays=1.2/0/0/0.43, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as CC61F35E61D7)
May 28 13:06:19 email2 postfix/qmgr[376]: 49CE735E61D4: removed

3) problem, email sent to my account (same server, but different domain), NOT using SMTP AUTH???:

May 28 13:04:38 email2 postfix/smtpd[1433]: connect from <censored>
May 28 13:04:38 email2 postfix/smtpd[1433]: NOQUEUE: reject: RCPT from <censored>: 554 5.7.1 <my_email>>: Recipient address rejected: Invalid HELO/EHLO; Must be a FQDN or an address literal, not 'xxx'; from=<client1@1.example.com> to=<my_address> proto=ESMTP helo=
May 28 13:04:41 email2 postfix/smtpd[1433]: disconnect from <censored>

Part of postfix configuration:

smtpd_sender_restrictions = permit_mynetworks,
                            reject_authenticated_sender_login_mismatch,
                            permit_sasl_authenticated
smtpd_recipient_restrictions = reject_unknown_sender_domain,
                               reject_unknown_recipient_domain,
                               reject_non_fqdn_sender,
                               reject_non_fqdn_recipient,
                               reject_unlisted_recipient,
                               check_policy_service inet:127.0.0.1:7777,
                               check_policy_service inet:127.0.0.1:10031,
                               permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_destination
smtpd_helo_restrictions = permit_mynetworks,
                          permit_sasl_authenticated,
                          reject_non_fqdn_helo_hostname,
                          reject_invalid_helo_hostname,
                          check_helo_access pcre:/etc/postfix/helo_access.pcre

See output of postconf and cat main.cfg

Best Answer

HELO/EHLO happens before the SMTP authentication. If your server is configured with reject_non_fqdn_helo_hostname = yes, it will reject any connection with an invalid hostname before getting to the SMTP AUTH part.

While keeping this rejection will cut down on some spam, it will also block a number of legitimate mails. You should take a closer look at tthe Postfix documentation for reject_invalid_helo_hostname and smtp_helo_restrictions to figure out how you want this to work.

Related Topic