Why does postfix say ‘Helo command rejected: Host not found’ when dig finds the host

domain-name-systememailpostfix

So I see the following error Helo command rejected: Host not found; in /var/log/syslog, but when I do forward and reverse lookups on the host in question, the DNS records appear reasonable. The mail server in question, endor, seems to otherwise be receiving mail just fine.

Why is Postfix saying this (and bonus second question, is there a setting I should change to fix it?

Email addresses changed for privacy:

Jul 20 23:35:20 endor postfix/smtpd[1503]: NOQUEUE: reject: RCPT from
bdmrob01-2.metavante.com[206.71.18.21]: 450 4.7.1
<bdmrob02.metavante.com>: Helo command rejected: Host not found;
from=<bbankingonline@mybank.com>
to=<myemail@fqdn.org> proto=ESMTP
helo=<bdmrob02.metavante.com>

But DNS looks ok:

endor% dig bdmrob01-2.metavante.com

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> bdmrob01-2.metavante.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32487
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;bdmrob01-2.metavante.com.  IN  A

;; ANSWER SECTION:
bdmrob01-2.metavante.com. 600   IN  A   206.71.18.21

endor% dig -x 206.71.18.21

; <<>> DiG 9.11.3-1ubuntu1.1-Ubuntu <<>> -x 206.71.18.21
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40586
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;21.18.71.206.in-addr.arpa. IN  PTR

;; ANSWER SECTION:
21.18.71.206.in-addr.arpa. 600  IN  PTR bdmrob01-2.metavante.com.

I should mention, main.cf says:

smtpd_helo_restrictions = 
reject_non_fqdn_helo_hostname,reject_invalid_helo_hostname,reject_unknown_helo_hostname

Best Answer

The answer was staring us in the face the whole time.

Postfix is looking for the A and PTR records for the host greeting it with HELO. Or, more precisely, the host that the host says it is in its HELO message. Let's break it down:

Jul 20 23:35:20 endor postfix/smtpd[1503]: NOQUEUE: reject: RCPT from
bdmrob01-2.metavante.com[206.71.18.21]:

A host named bdmrob01-2.metavante.com that resolves to the IP address 206.71.18.21 makes a TCP connection to your mail server.

So you checked the IP address for an A record:

endor% dig bdmrob01-2.metavante.com
[...]
;; ANSWER SECTION:
bdmrob01-2.metavante.com. 600   IN  A   206.71.18.21

And then you checked it for a PTR record:

endor% dig -x 206.71.18.21
;; ANSWER SECTION:
21.18.71.206.in-addr.arpa. 600  IN  PTR bdmrob01-2.metavante.com.

That all looks good. So what's the problem? The host that connected was certainly identified by the above hostname and IP address, but it didn't say that's who it was. It said:

helo=<bdmrob02.metavante.com>

That host has an A record:

$ dig a bdmrob02.metavante.com
[...]
;; ANSWER SECTION:
bdmrob02.metavante.com. 0   IN  A   92.242.140.2

BUT, its IP address has no PTR record:

$ dig -x 92.242.140.2
[...]
;; ANSWER SECTION:
2.140.242.92.in-addr.arpa. 84155 IN PTR unallocated.barefruit.co.uk.

This is a problem on their end. Until then you'll have to either live with it, or change your postfix server to not bother with forward and reverse lookups on HELO commands.

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Looking at the IP addresses in your resolv.conf I get the feeling that your BIND server is on 192.168.1.52. As far as I can tell, you can't specify in resolv.conf something like "for these domains, use this name server". Basically, your BIND server will never be queried. As you can see in your dig lookup (which is incorrect, it is asking for a reverse DNS entry), it tries 80.58.0.33, which I assume is your provider's DNS server.

You already set up BIND as caching nameserver by using the 'forwarders' option, so what you need to do is have only 192.168.1.52 in the client PCs as nameserver.

To see if your BIND is configured correctly, try this:

dig example.test @192.168.1.52

Global Reverse DNS look-ups not working

You've set it up correctly on your server, but your server is not marked as authoritative for 123.5.253.159.in-addr.arpa. Your reverse DNS is managed by your ISP (the whole 5.253.159.in-addr.arpa zone):

; <<>> DiG 9.7.3-P3 <<>> ns 5.253.159.in-addr.arpa
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43579
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;5.253.159.in-addr.arpa.        IN  NS

;; ANSWER SECTION:
5.253.159.in-addr.arpa. 86010   IN  NS  ns3.uxw.nl.
5.253.159.in-addr.arpa. 86010   IN  NS  ns4.uxw.nl.

You have 2 solutions to solve that:

ask your ISP to define the 123.5.253.159.in-addr.arpa record for you on their DNS (ns3.uxw.nl and ns4.uxw.nl),
ask your ISP to delegate the 123.5.253.159.in-addr.arpa record to your server, as per the RFC 2317, this is just a matter of defining a CNAME pointing to a new record on a new zone on your DNS (you then have to define this special zone on your DNS, your ISP will tell you how to name this new zone).

First solution is probably the quickest, but if you change your server's name in the future, you've got to ask them to change it again. Second solution is the most flexible, if your ISP is willing to support RFC 2317. If your ISP is providing you with more than a single address, reverse DNS can be delegated for all of them (the whole range) so you can be in charge. I'd recommend you to ask for that.

This similar question is worth reading.

Trivia: a few years ago (5, or 10 years back), some people were advocating against RFC-2317, because some DNS clients couldn't handle the reverse queries well. However, I don't think that is relevant anymore, RFC-2317 exists for about 15 years now.

Best Answer

Related Solutions

Debian – Setting up a DNS name server for a mass virtual host with Bind9

Global Reverse DNS look-ups not working

Related Topic