1 Topic by purathal

  • purathal
  • Member
  • Offline
  • Registered: 2016-05-31
  • Posts: 43

Topic: Helo command rejected: ACCESS DENIED.

=== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.5-1
- Linux/BSD distribution name and version: CentOS 7
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue:
====

A contact of mine is trying to email me (me@mydomain.com) and he receives the following bounce back:

-------
This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

me@mydomain.com
host mta.mydomain.com [x.x.x.x]
SMTP error from remote mail server after RCPT TO:<me@mydomain.com>:
554 5.7.1 <y.y-y.y.64.192.in-addr.arpa>:
Helo command rejected: ACCESS DENIED. Your email was rejected because the sending mail server appears to be on a dynamic IP address that should not be doing direct mail delivery (y.y-y.y)
-------

We both have emailed each other about a year ago with no problem and nothing has changed on his end (he is using the same mail server with same IP for many years) and nothing changed on our end either. All of a sudden, he is unable to email me/my domain.

Please note the above "-" in between the y.y-y.y (which denotes his mail server IP). I am not if the "-" in there is normal to be seen or not.

Anyways, what can I do to start accepting emails from the above sender or IP?

Thanks.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by purathal

  • purathal
  • Member
  • Offline
  • Registered: 2016-05-31
  • Posts: 43

Re: Helo command rejected: ACCESS DENIED.

Update:  My contact on the other end contacted his up stream provider regarding the above bounce issue and he got the below response from their support team.

--------

Your PTR record is set up as follows:
;; ANSWER SECTION:
y.y.64.192.in-addr.arpa. 860 IN CNAME y.y-y.y.64.192.in-addr.arpa.
y.y-y.y.64.192.in-addr.arpa. 14060 IN PTR server.senderdomain.tld.

According to the logs, there are multiple successful deliveries to a variety of mail service providers from your server.

The fact this particular remote server provider considers such setup incorrect fully contradicts with RFC for PTR records. Please ask them to have a look at https://tools.ietf.org/html/rfc2181 , paragraph 10.2:
Note that while the value of a PTR record must not be an alias, there is no requirement that the process of resolving a PTR record not encounter any aliases. The label that is being looked up for a PTR value might have a CNAME record. That is, it might be an alias. The value of that CNAME RR, if not another alias, which it should not be, will give the location where the PTR record is found. That record gives the result of the PTR type lookup. This final result, the value of the PTR RR, is the label which must not be an alias.
The final result is not an alias, so the policy needs to be changed at a remote mail provider side.

-------

So, now it is an issue on my end?!? Otherwise, iRedMail contradicts with RFC for PTR records?

Any help/input is much appreciated.

3 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Helo command rejected: ACCESS DENIED.

Simply whitelist your friend's server HELO hostname in file /etc/postfix/helo_access.pcre (whitelist it in first line). like this:

/^y.y-y.y.64.192.in-addr.arpa$/ OK