Hi, I'm running our local school's mail server on CentOS 7, Postfix and Dovecot. We get quite a lot of spam, so I have the following sender restrictions in my /etc/postfix/main.cf: --8<------------------------------------------------------ # Restrictions SMTP smtpd_helo_restrictions = reject_unknown_helo_hostname smtpd_sender_restrictions = reject_unknown_sender_domain, check_sender_access hash:/etc/postfix/sender_access smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org, reject_rhsbl_reverse_client dbl.spamhaus.org, reject_rhsbl_helo dbl.spamhaus.org, reject_rhsbl_sender dbl.spamhaus.org smtpd_relay_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination smtpd_data_restrictions = reject_unauth_pipelining --8<------------------------------------------------------ Most folks are using Thunderbird on Linux, and everything works perfectly. One single user has a MacBook Air with Thunderbird on Mac OS Mojave, and her outgoing mails are rejected with the following error message in /var/log/maillog on the server: --8<------------------------------------------------------ Sep 16 14:22:32 sd-48011 postfix/smtps/smtpd[14434]: NOQUEUE: reject: RCPT from villa.figaret.pck.nerim.net[62.212.106.47]: 450 4.7.1 <Air-de-bea.scholae.lan>: Helo command rejected: Host not found; from=<xxxxx.yyyyyyyy at scholae.fr> to=<info at microlinux.fr> proto=ESMTP helo=<Air-de-bea.scholae.lan> --8<------------------------------------------------------ As far as I understand, it has to do with this MacBook's host configuration. Any suggestions? Cheers from the sunny South of France, Niki Kovacs -- Microlinux - Solutions informatiques durables 7, place de l'?glise - 30730 Montpezat Site : https://www.microlinux.fr Mail : info at microlinux.fr T?l. : 04 66 63 10 32 Mob. : 06 51 80 12 12
Nicolas Kovacs writes:> Hi, > > I'm running our local school's mail server on CentOS 7, Postfix and > Dovecot. We get quite a lot of spam, so I have the following sender > restrictions in my /etc/postfix/main.cf: > > --8<------------------------------------------------------ > # Restrictions SMTP > smtpd_helo_restrictions = reject_unknown_helo_hostname > smtpd_sender_restrictions = reject_unknown_sender_domain, > check_sender_access hash:/etc/postfix/sender_access > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, > reject_rbl_client zen.spamhaus.org, > reject_rhsbl_reverse_client dbl.spamhaus.org, > reject_rhsbl_helo dbl.spamhaus.org, > reject_rhsbl_sender dbl.spamhaus.org > smtpd_relay_restrictions = permit_mynetworks, > permit_sasl_authenticated, > reject_unauth_destination > smtpd_data_restrictions = reject_unauth_pipelining > --8<------------------------------------------------------ > > Most folks are using Thunderbird on Linux, and everything works > perfectly. One single user has a MacBook Air with Thunderbird on Mac OS > Mojave, and her outgoing mails are rejected with the following error > message in /var/log/maillog on the server: > > --8<------------------------------------------------------ > Sep 16 14:22:32 sd-48011 postfix/smtps/smtpd[14434]: NOQUEUE: reject: > RCPT from villa.figaret.pck.nerim.net[62.212.106.47]: 450 4.7.1 > <Air-de-bea.scholae.lan>: Helo command rejected: Host not found; > from=<xxxxx.yyyyyyyy at scholae.fr> to=<info at microlinux.fr> proto=ESMTP > helo=<Air-de-bea.scholae.lan> > --8<------------------------------------------------------ > > As far as I understand, it has to do with this MacBook's host > configuration.http://www.postfix.org/postconf.5.html#reject_unknown_helo_hostname reject_unknown_helo_hostname (with Postfix < 2.3: reject_unknown_hostname) Reject the request when the HELO or EHLO hostname has no DNS A or MX record. The reply is specified with the unknown_hostname_reject_code parameter (default: 450) or unknown_helo_hostname_tempfail_action (default: defer_if_permit). See the respective parameter descriptions for details. Note: specify "smtpd_helo_required = yes" to fully enforce this restriction (without "smtpd_helo_required = yes", a client can simply skip reject_unknown_helo_hostname by not sending HELO or EHLO).
Hi, the main problem is that the MacBook obviously presents an illegal host name to the mail server, which in turn rejects accepting mail to be submitted from it because of 'reject_unknown_helo_hostname'. With your 'smtpd_helo_restrictions', Postfix handles submissions from clients as it would handle mail from external mail servers, and so the wrong host name gets mail to be rejected. The mail submission doesn't even get to the point where 'smtpd_recipient_restrictions' are checked (which would allow senders from 'mynetworks') because 'smtpd_helo_restrictions' hits first. One way to fix that would be to put 'permit_mynetworks' into 'smtpd_helo_restrictions' (and of course provide proper settings for 'mynetworks') so the invalid host name is ignored for local networks. If you want to fix the client instead (which I would recommend in any case), 'scholae.lan' could be a domain the mail server cannot resolve (as seen from your log, your domain is 'scholae.fr'), and so the host name is rejected. Even if the domain were resolvable, there is in all likelihood no DNS entry for 'Air-de-bea', so the name is technically invalid as far as Postfix is concerned. The main question is where it got that host name from - most mis-configuration on the device itself, or on the DHCP server it uses to get its network configuration from. If it's not the DHCP server, have a look at the 'Sharing' system configuration on the Mac. On top of that panel there is a field to configure the simple host name (in this case it'S probably "Air-de-bea"), and below that there's an 'Edit' button that you can use to specify an alternate name and sn FQDN. If 'Use dynamic global hostname' is checked, the Mac will use the hostname configured there - this might well be set to 'Air-de-bea.scholae.lan'. If it's DHCP where the host name gets its name from, you'll need to have that fixed - either provide dynamic DNS updates, or assign a properly registered host name to the Mac. Cheers, Pete.> On 19. Sep 2019, at 10:43, Nicolas Kovacs <info at microlinux.fr> wrote: > > Hi, > > I'm running our local school's mail server on CentOS 7, Postfix and > Dovecot. We get quite a lot of spam, so I have the following sender > restrictions in my /etc/postfix/main.cf: > > --8<------------------------------------------------------ > # Restrictions SMTP > smtpd_helo_restrictions = reject_unknown_helo_hostname > smtpd_sender_restrictions = reject_unknown_sender_domain, > check_sender_access hash:/etc/postfix/sender_access > smtpd_recipient_restrictions = permit_mynetworks, > permit_sasl_authenticated, > reject_rbl_client zen.spamhaus.org, > reject_rhsbl_reverse_client dbl.spamhaus.org, > reject_rhsbl_helo dbl.spamhaus.org, > reject_rhsbl_sender dbl.spamhaus.org > smtpd_relay_restrictions = permit_mynetworks, > permit_sasl_authenticated, > reject_unauth_destination > smtpd_data_restrictions = reject_unauth_pipelining > --8<------------------------------------------------------ > > Most folks are using Thunderbird on Linux, and everything works > perfectly. One single user has a MacBook Air with Thunderbird on Mac OS > Mojave, and her outgoing mails are rejected with the following error > message in /var/log/maillog on the server: > > --8<------------------------------------------------------ > Sep 16 14:22:32 sd-48011 postfix/smtps/smtpd[14434]: NOQUEUE: reject: > RCPT from villa.figaret.pck.nerim.net[62.212.106.47]: 450 4.7.1 > <Air-de-bea.scholae.lan>: Helo command rejected: Host not found; > from=<xxxxx.yyyyyyyy at scholae.fr> to=<info at microlinux.fr> proto=ESMTP > helo=<Air-de-bea.scholae.lan> > --8<------------------------------------------------------ > > As far as I understand, it has to do with this MacBook's host > configuration. > > Any suggestions? > > Cheers from the sunny South of France, > > Niki Kovacs > -- > Microlinux - Solutions informatiques durables > 7, place de l'?glise - 30730 Montpezat > Site : https://www.microlinux.fr > Mail : info at microlinux.fr > T?l. : 04 66 63 10 32 > Mob. : 06 51 80 12 12 > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 235 bytes Desc: Message signed with OpenPGP URL: <http://lists.centos.org/pipermail/centos/attachments/20190919/a7293144/attachment.sig>
On 19/09/19 8:43 PM, Nicolas Kovacs wrote:> smtpd_helo_restrictions = reject_unknown_helo_hostname...> One single user has a MacBook Air with Thunderbird on Mac OS > Mojave, and her outgoing mails are rejected with the following error > message in /var/log/maillog on the server: > > Sep 16 14:22:32 sd-48011 postfix/smtps/smtpd[14434]: NOQUEUE: reject: > RCPT from villa.figaret.pck.nerim.net[62.212.106.47]: 450 4.7.1 > <Air-de-bea.scholae.lan>: Helo command rejected: Host not found; > from=<xxxxx.yyyyyyyy at scholae.fr> to=<info at microlinux.fr> proto=ESMTP > helo=<Air-de-bea.scholae.lan>reject_unknown_helo_hostname is not intended to be used for submission connections. The thing is that email clients will connect with all sorts of crazy hostnames, and they generally have no way of knowing if they hostname they are claiming has any conformity with the actual hostname presented publicly from the computer, or indeed if there even is one at all. If someone is authenticating with SASL auth then they really shouldn't need to be subjected to these additional tests anyways. You should separate your MX connections )port 25) from your submission connections (port 587 or submissions on port 465). It becomes much easier to resolve issues like this if you don't have to worry about MXes and MUAs connecting on the same ports to the same services. Then you can write separate smtpd_*_restrictions in master.cf for submission and submissions that don't include things such as reject_unknown_helo_hostname. Peter