Re: Helo command rejected: need fully-qualified hostname; 504 5.5.2

[Noel Jones]

On 10/13/2015 1:01 AM, Christian Kivalo wrote:
> Hi,
> 
> On 2015-10-13 05:22, Richard B. Pyne wrote:
>> I am running postfix 2.10.1, dovecot 2.2.10, with postfixadmin and
>> maia mailguard.
>>
>> I am trying to figure out how to disable the HELO/EHLO
>> reject_non_fqdn_hostname on the submission port since many (most)
>> desktop and laptop clients don't send it.
>>
>> I want to keep the restriction on port 25
>>
>> Thanks.
>>
>> --Richard
> 
> [...]
> 
>> master.cf
>>
>> smtp  inet  n   -   n   -   -   smtpd
>> #
>> submission inet n   -   n   -   -   smtpd
>>   -o syslog_name=postfix/submission
>>   -o smtpd_tls_security_level=encrypt
>>   -o smtpd_sasl_auth_enable=yes
>>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
> 
> add
>-o
> smtpd_helo_restrictions=permit_mynetworks,reject_invalid_hostname,permit
> 
> to the submission port settings...

Almost, but not quite.  This would allow bogus hostnames in
mynetworks, but not from authenticated clients.

For submission (and smtps) it's generally better to disable all
restrictions other than authentication.

add to the submission (and smtps) master.cf entries:
  -o smtpd_client_restrictons=
  -o smtpd_helo_restrictions=
  -o smtpd_sender_restrictions=
  -o smtpd_recipient_restrictions=permit_sasl_authenticated,reject
  -o smtpd_data_restrictions=
  -o smtpd_end_of_data_restrictions=
# next line for postfix 2.10 or newer
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject


It's also now common practice to disable AUTH on port 25 and require
your users to use submission.  This helps to separate services and
makes it easier to use different restrictions for the different
purposes.



> 
>> #
>> smtps inet  n   -   n   -   -   smtpd
>>   -o syslog_name=postfix/smtps
>>   -o smtpd_tls_wrappermode=yes
>>   -o smtpd_sasl_auth_enable=yes
>>   -o
>> smtpd_helo_restrictions=permit_mynetworks,reject_invalid_hostname,permit
>>
>>   -o smtpd_client_restrictions=permit_sasl_authenticated,reject
>>   -o milter_macro_daemon_name=ORIGINATING
>> #
> 
> ...as are set on port 465. That removes/overrides the setting from
> main.cf.
> 
> regards
> christian

Re: Helo command rejected: need fully-qualified hostname; 504 5.5.2

[Christian Kivalo]

Hi,

On 2015-10-13 05:22, Richard B. Pyne wrote:

I am running postfix 2.10.1, dovecot 2.2.10, with postfixadmin and
maia mailguard.

I am trying to figure out how to disable the HELO/EHLO
reject_non_fqdn_hostname on the submission port since many (most)
desktop and laptop clients don't send it.

I want to keep the restriction on port 25

Thanks.

--Richard


[...]


master.cf

smtp  inet  n   -   n   -   -   smtpd
#
submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject


add
   -o 
smtpd_helo_restrictions=permit_mynetworks,reject_invalid_hostname,permit

to the submission port settings...


#
smtps inet  n   -   n   -   -   smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o 
smtpd_helo_restrictions=permit_mynetworks,reject_invalid_hostname,permit

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#


...as are set on port 465. That removes/overrides the setting from 
main.cf.


regards
christian

Helo command rejected: need fully-qualified hostname; 504 5.5.2

[Richard B. Pyne]

I am running postfix 2.10.1, dovecot 2.2.10, with postfixadmin and maia 
mailguard.


I am trying to figure out how to disable the HELO/EHLO 
reject_non_fqdn_hostname on the submission port since many (most) 
desktop and laptop clients don't send it.


I want to keep the restriction on port 25

Thanks.

--Richard

postconf -nf
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
content_filter = scan:[127.0.0.1]:10024
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
debug_peer_level = 2
debugger_command = PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin ddd
$daemon_directory/$process_name $process_id & sleep 5
disable_vrfy_command = yes
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mailq_path = /usr/bin/mailq.postfix
manpage_directory = /usr/share/man
milter_default_action = accept
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = shopsite.com
myhostname = cloudmail.shopsite.com
myorigin = $myhostname
newaliases_path = /usr/bin/newaliases.postfix
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.10.1/README_FILES
receive_override_options = no_address_mappings
sample_directory = /usr/share/doc/postfix-2.10.1/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtpd_delay_reject = yes
smtpd_error_sleep_time = 1s
smtpd_hard_error_limit = 20
smtpd_helo_required = yes
smtpd_helo_restrictions =

permit_mynetworks,reject_non_fqdn_hostname,reject_invalid_hostname,permit
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks,
check_policy_service unix:postgrey/socket, reject_invalid_hostname,
reject_non_fqdn_hostname, reject_unauth_destination, reject_rbl_client
list.dsbl.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client
cbl.abuseat.org, reject_rbl_client dul.dnsbl.sorbs.net, permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_soft_error_limit = 10
smtpd_tls_CAfile = /etc/pki/tls/cert.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/pki/tls/certs/cloudmail.shopsite.com.crt
smtpd_tls_key_file = /etc/pki/tls/private/cloudmail.shopsite.com.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps = mysql:/etc/postfix/sql/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:12
virtual_mailbox_base = /var/spool/virtual
virtual_mailbox_domains = 
mysql:/etc/postfix/sql/mysql_virtual_domains_maps.cf

virtual_mailbox_limit = 5120
virtual_mailbox_maps = mysql:/etc/postfix/sql/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 8
virtual_transport = virtual
virtual_uid_maps = static:8
postconf: warning: /etc/postfix/main.cf: unused parameter: 
virtual_mailbox_limit_maps=mysql:/etc/postfix/sql/mysql_virtual_mailbox_limit_maps.cf
postconf: warning: /etc/postfix/main.cf: unused parameter: 
virtual_maildir_limit_message=Sorry, Your maildir has overdrawn your 
diskspace quota, please free some space of your mailbox and try again.
postconf: warning: /etc/postfix/main.cf: unused parameter: 
virtual_mailbox_limit_override=yes
postconf: warning: /etc/postfix/main.cf: unused parameter: 
virtual_overquota_bounce=yes
postconf: warning: /etc/postfix/main.cf: unused parameter: 
virtual_create_maildirsize=yes
postconf: warning: /etc/postfix/main.cf: unused parameter: 
smptd_tls_session_cache_database=btree:/var/spool/postfix/smtpd_tls_cache
postconf: warning: /etc/postfix/main.cf: unused parameter: 
virtual_mailbox_extended=yes
postconf: warning: /etc/postfix/main.cf: unused parameter: 
smtpd_tls_note_starttls_offer=yes






master.cf

smtp  inet  n   -   n   -   -   smtpd
#
submission inet n   -   n   -   -   smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#
smtps inet  n   -   n   -   -   smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o 
smtpd_helo_restrictions=permit_mynetworks,reject_invalid_hostname,permit

  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#
pickupunix  n   -   n   60  1   pickup
cleanup   unix  n   -   n   -   0   cleanup
qmgr  unix  n   -   n   300 1   qmgr
tlsmgrunix  -   -   n   1000?   1   tlsmgr
rewrite   unix  -   -   n   -   -   trivial-rewrite
bounceunix  -   -   n   -   0   bounce
defer unix  -   -   n