Topic: HELO Whitelisting in Postfix

- iRedMail version (check /etc/iredmail-release): 1.6.7
- Deployed with iRedMail Easy or the downloadable installer? Installer
- Linux/BSD distribution name and version: Rocky 9.3
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MariaDB
- Web server (Apache or Nginx): Silly question
- Manage mail accounts with iRedAdmin-Pro? No


I have several questions about postfix HELO whitelisting using helo_access.pcre.

1. There is an old (2013) thread here implying that helo_access.pcre is NOT effectively scanned unless one reverses the order of two rules in main.cf. Is that still true? Newer posts about helo_access don't mention anything about that.

2. The reject message is

Jan 29 16:42:34 <my-server> postfix/smtpd[474059]: NOQUEUE: reject: RCPT from srv150.services.gc.ca[]: 450 4.7.1 <MLCSESD4842.hrdc-drhc.net>: Helo command rejected: Host not found; from=<remote-user@hrsdc-rhdcc.gc.ca> to=<local-user@my-domain.ca> proto=ESMTP helo=<MLCSESD4842.hrdc-drhc.net>.

From that, is the HELO id I need to whitelist *.services.gc.ca, *.hrdc-rhdcc.net, or *.hrdc-drhc ? It's hard to tell what the actual HELO response is...

3. I can't find anywhere describing the methodology for creating the exact line in helo_access.pcre. My guess is

/^\.hrdc-drhc\.net$/ OK

Is that right? Do I really need the backslash escape before each dot?

4. Is there a guide for this? All I can find is https://www.postfix.org/access.5.html which explains the processing order, but not the detailed use of the delimiters.

Thanks for all help as always,


Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.


Re: HELO Whitelisting in Postfix

Oh, I see! PCRE means Perl Compatible Regular Expression

That helps, but my other questions still stand. Also,

5. the "access" document says that specifying domain name starting with a . then accepts all subdomains too. But it's not clear if that applies to this particular file (helo_access.pcre).


Re: HELO Whitelisting in Postfix


Okay, I've got it working. The correct line is

/\.hrdc\-drhc\.net$/ OK

Note the - needs to be escaped as well.

ZhangHuangbin actually did a post covering it in 2020:
https://forum.iredmail.org/topic16863-h … fixed.html
Note sure why that didn't show up in my initial searches.

A basic PCRE primer is at
https://qualysguard.qualys.com/qwebhelp … ymbols.htm

Perhaps this is a good thing to write a user-contributed document about.


Re: HELO Whitelisting in Postfix

evenmoreconfused wrote:

Note the - needs to be escaped as well.

"-" doesn't need to be escaped.
The mistake is the leading "^".