1 Topic by Fastidious (edited by Fastidious 2021-04-08 23:32:42)

  • Fastidious
  • Member
  • Offline
  • Registered: 2021-02-28
  • Posts: 40

Topic: Recommendation on Postfix configuration

Currently iRedMail (1.3.2) adds to /etc/postix/main.cf the following:

   reject_non_fqdn_helo_hostname
   reject_unknown_helo_hostname

I recommend those are removed, as constant rejections and mail loses will occur with major email providers.

Example of rejections:

Apr  8 11:08:28 mail postfix/smtpd[2719]: warning: hostname mail-ed1-x52f.google.com does not resolve to address 2a00:1450:4864:20::52f: No address associated with hostname
Apr  8 11:08:29 mail postfix/smtpd[2719]: NOQUEUE: reject: RCPT from unknown[2a00:1450:4864:20::52f]: 450 4.7.1 <mail-ed1-x52f.google.com>: Helo command rejected: Host not found; from=<email@example1.com> to=<email@example2.com> proto=ESMTP helo=<mail-ed1-x52f.google.com>

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Fastidious

  • Fastidious
  • Member
  • Offline
  • Registered: 2021-02-28
  • Posts: 40

Re: Recommendation on Postfix configuration

I have to add that it was a valid email, sent from Gmail (Google Apps for Domains [or whatever they are called these days]), that was rejected.

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Recommendation on Postfix configuration

Are you sure the email was sent from Gmail/Gsuite?
HELO hostname is easy to forge.

4 Reply by Fastidious

  • Fastidious
  • Member
  • Offline
  • Registered: 2021-02-28
  • Posts: 40

Re: Recommendation on Postfix configuration

ZhangHuangbin wrote:

Are you sure the email was sent from Gmail/Gsuite?
HELO hostname is easy to forge.

Yes, I was the one sending it. Google's IPv6 is messing up with Postfix, it seems.

5 Reply by Fastidious

  • Fastidious
  • Member
  • Offline
  • Registered: 2021-02-28
  • Posts: 40

Re: Recommendation on Postfix configuration

See:

$ dig -x 2a00:1450:4864:20::52f

; <<>> DiG 9.16.1-Ubuntu <<>> -x 2a00:1450:4864:20::52f
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34366
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;f.2.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.ip6.arpa. IN PTR

;; ANSWER SECTION:
f.2.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.ip6.arpa. 86400 IN PTR mail-ed1-x52f.google.com.

And:

$ dig aaaa mail-ed1-x52f.google.com

; <<>> DiG 9.16.1-Ubuntu <<>> aaaa mail-ed1-x52f.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32053
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;mail-ed1-x52f.google.com.      IN      AAAA

;; ANSWER SECTION:
mail-ed1-x52f.google.com. 86400 IN      AAAA    2a00:1450:4864:20::52f

;; Query time: 28 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Sun Apr 11 13:45:20 EDT 2021
;; MSG SIZE  rcvd: 81

There is no IPv4 for that host.

6 Reply by Fastidious

  • Fastidious
  • Member
  • Offline
  • Registered: 2021-02-28
  • Posts: 40

Re: Recommendation on Postfix configuration

Is there no explanation? Just wondering if what I did is the best approach.

7 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,088

Re: Recommendation on Postfix configuration

- No need to remove "reject_non_fqdn_helo_hostname".
- Better not remove "reject_unknown_helo_hostname". Just whitelist some instead.