On Mon, Aug 14, 2017 at 10:41:05PM +0000, Kevin Miller wrote:
> smtpd_helo_restrictions = permit_mynetworks
> reject_non_fqdn_helo_hostname
> reject_invalid_helo_hostname
This would be a complete solution, but ...
> smtpd_recipient_restrictions = permit_inet_interfaces
> permit_sasl_authenticated
> reject_unknown_sender_domain
> reject_non_fqdn_sender
> reject_non_fqdn_recipient
> reject_unauth_pipelining
> reject_invalid_hostname
> reject_non_fqdn_hostname
> ...
>From the postconf(5) manpage:
reject_non_fqdn_helo_hostname (with Postfix < 2.3:
reject_non_fqdn_hostname)
Reject the request when the HELO or EHLO hostname is not in
fully-qualified domain or address literal form, as required by
the RFC. Note: specify "smtpd_helo_required = yes" to fully
enforce this restriction (without "smtpd_helo_required = yes", a
client can simply skip reject_non_fqdn_helo_hostname by not
sending HELO or EHLO).
The non_fqdn_reject_code parameter specifies the response code
for rejected requests (default: 504).
The legacy "reject_non_fqdn_hostname" is a synonym for the now preferred
(less confusing) reject_non_fqdn_helo_hostname. Remove this from the
recipient restrictions, as you already have it it helo restrictions.
--
Viktor.
