reject_non_fqdn_hostname

**rotorboy** · 10-07-2010, 09:49 AM

I'm dealing with the following error and it leads me to a question...

Oct 7 01:09:23 z1 postfix/smtpd[16656]: NOQUEUE: reject: RCPT from S010600173fbe827d.ek.shawcable.net[24.66.18.126]: 504 5.5.2 <Kays>: Helo command rejected: need fully-qualified hostname; from=<kristen@domainname.ext> to=<pete@domainname.ext> proto=ESMTP helo=<Kays>

From what I see on the forums I disable reject_non_fqdn_hostname in the MTA section of the zimbra administrator. Fine that's a resolution, but my concern is that this error is coming up at all.

Having read the description of FQDN on wikipedia:
Fully qualified domain name - Wikipedia, the free encyclopedia
from what I can see S010600173fbe827d.ek.shawcable.net is a FQDN, has a valid reverse DNS lookup, and as such should not be triggering this error.

However, helo=<Kays> is likely where the issue is coming from since it's the helo that's being checked right? So why would Outlook be using "Kays" which I'm guessing is the computers network name rather than the FQDN? I would rather not have to disable reject_non_fqdn_hostname if it is actually a useful tool in reducing spam....

Here's something I just read that makes this sound like a Zimbra/Postfix problem:

the addresses used in EHLO/HELO are supposed to be added by the SMTP server and outlook only adds if it the server does not.

**rotorboy** · 10-12-2010, 08:43 AM

Has anyone else been having problems with the FQDN requirement issue?

**dalmate** · 10-12-2010, 07:45 PM

Let's uncheck these options:
- Reject_unknow_client
- reject_unknow_hostname
After that, please do:
- with zimbra, type:
postfix reload.

**Alphaphi** · 10-13-2010, 04:57 AM

Oct 7 01:09:23 z1 postfix/smtpd[16656]: NOQUEUE: reject: RCPT from S010600173fbe827d.ek.shawcable.net[24.66.18.126]: 504 5.5.2 <Kays>: Helo command rejected: need fully-qualified hostname; from=<kristen@domainname.ext> to=<pete@domainname.ext> proto=ESMTP helo=<Kays>

That's OK. You don't want mail from senders that do not use an FQDN in the helo/ehlo, as they are most likely spammers, or, in rare cases, admins who don't know how to configure their servers correctly.

So in my postfix installations I use this check very early: "Don't talk to someone who doesn't want to tell his correct name.".

In general, I use:

# everyone
reject_non_fqdn_sender
reject_non_fqdn_recipient
reject_unknown_sender_domain
reject_unknown_recipient_domain
# ourselves
permit_mynetworks
permit_sasl_authenticated
# from here on strangers
check_helo_access hash:/etc/postfix/tables/check_helo_access
reject_invalid_helo_hostname
reject_non_fqdn_helo_hostname
reject_unlisted_recipient
reject_unauth_pipelining
[...]

**chauvetp** · 10-13-2010, 01:24 PM

Its definitely the HELO/EHLO that is the issue, as Alphaphi stated:

Oct 7 01:09:23 z1 postfix/smtpd[16656]: NOQUEUE: reject: RCPT from S010600173fbe827d.ek.shawcable.net[24.66.18.126]: 504 5.5.2 <Kays>: Helo command rejected: need fully-qualified hostname; from=<kristen@domainname.ext> to=<pete@domainname.ext> proto=ESMTP helo=<Kays>

It is either a spammer, or misconfigured. If this is someone you want to be receiving mail from, advise them to have their FQDN set correctly for their MTA. There are occasionally vendors that my college does business with who have this screwed up. Its not something you want to worry about changing on your end or whitelisting.

**rotorboy** · 10-13-2010, 03:10 PM

Thanks for the replies.

helo=<Kays>

This is generated by an authenticated (via email username/password) system user using Outlook 2003.
They are a client of our Zimbra server. From what I'm reading, Zimbra should recognize authenticated users and either replace the helo with something appropriate or not apply the "reject_non_fqdn_hostname" check to authenticated senders....

**phoenix** · 10-14-2010, 12:08 AM

Originally Posted by rotorboy

This is generated by an authenticated (via email username/password) system user using Outlook 2003.
They are a client of our Zimbra server. From what I'm reading, Zimbra should recognize authenticated users and either replace the helo with something appropriate or not apply the "reject_non_fqdn_hostname" check to authenticated senders....

Your authenticated users should use the correct submission port which is 587 and not use port 25 for sending email. Try changing the Outlook of user 'Kays' and see if that resolves the problem.

**rotorboy** · 10-14-2010, 08:51 AM

Hello Bill,

The ISP's here block port 25. The settings used are:

Outgoing SMTP server: mail.domainname.ext
"This server requires a secure connection (SSL)" or similar message should be checked.
"Use same login details as incoming mail server" -- Checked
SMTP Port: 465

Thanks....

**phoenix** · 10-14-2010, 08:53 AM

Originally Posted by rotorboy

Hello Bill,

The ISP's here block port 25. The settings used are:

Outgoing SMTP server: mail.domainname.ext
"This server requires a secure connection (SSL)" or similar message should be checked.
"Use same login details as incoming mail server" -- Checked
SMTP Port: 465

Port 465 is still not the correct port, try 587 and see what happens with that.

**rotorboy** · 10-14-2010, 09:16 AM

I'll give it a try however we were following these instructions:

Mail client Configuration - Zimbra :: Wiki

Zimbra

Thread: reject_non_fqdn_hostname

LinkBack

Thread Tools

Search Thread

Display

reject_non_fqdn_hostname

reject_non_fqdn_hostname

Thread Information

Users Browsing this Thread

Posting Permissions