Helo command - Need Change postfix settings

[DEALER]

Hello all!

I have problem with one incoming mails from one server. It is very importnant!
postfix reject mails sent from this domain mailserver because, it has wrong defined mx records
i browse forums i found that i need do this
"You need to turn off the appropriate DNS/HELO check(s). Postfix is rejecting the mail because the MX record doesn't match the hostname the server announces itself as."
But i cant do that because domain we host has very very much spam.
I need help where to add in postix settings that postix dont scan/check from this domain e-mails for mx records.

log part:

Feb 26 11:55:48 mail postfix/smtpd[31847]: NOQUEUE: reject: RCPT from mail.domain.com[xx.xxx.x.xx]: 450 : Helo command rejected: Host not found; from= to= proto=ESMTP helo=
Feb 26 11:55:48 snmail postfix/smtpd[31847]: disconnect from mail.domain.com[xx.xxx.x.xx]
Feb 26 11:56:03 snmail zmtomcatmgr[32097]: status requested
Feb 26 11:56:03 snmail zmtomcatmgr[32097]: status OK
Feb 26 11:55:48 snmail last message repeated 2 times

fc5 Release 4.5.5_GA_838.FC5_20070503175107 FC5 FOSS edition


Please help. I'm newbie with postix.

[Bill Brock]

If you have the IP address of this server you could add it to the trusted networks in the Admin GUI. Something like this - xxx.xxx.xxx.xxx/32 . This will narrow it down to only that IP and postfix should accept mail from the server.

[phoenix]

Quote:

Originally Posted by Bill Brock

If you have the IP address of this server you could add it to the trusted networks in the Admin GUI. Something like this - xxx.xxx.xxx.xxx/32 . This will narrow it down to only that IP and postfix should accept mail from the server.

I would suggest that's not a wise thing to do as it could allow the external server to relay mail though the receiving server (i.e. spam). The best course of action would be to use a whitelist, check this section of the wiki article.

[Bill Brock]

A white list will open up the whole domain And the helo command is a lot easier to spoof than an IP address. Any machine claiming to be from that domain could send mail. Isolating one IP of a legitimate mail server seems more logical to me.

But that's just my opinion. :-)

[phoenix]

A whitelist doesn't necessarily open up the whole domain, you can restrict it to a specific email address. Allowing a mail server to connect to you will allow any user that can send mail via the remote server to relay mail through your server - the potential for a spammer is there.

Who said the sending mail server, in this case, is legitimate? As they can't even get their DNS correct how lax are they likely to be? I wouldn't know the answer to either of those questions, it's better to err on the side of caution.

[Bill Brock]

He obviously wants to receive mail from that one server or he wouldn't be asking to.

[phoenix]

Quote:

Originally Posted by Bill Brock

He obviously wants to receive mail from that one server or he wouldn't be asking to.

I think I could actually work that out, however, it still doesn't make the server 'legitimate' and it still leaves him open to any remote user on that server using him as a spam relay.

Still, it's his choice to do what he wants and he's at liberty to ignore any of the advice I've given - I can live with that.

[bcarter]

That is a legitimate concern for a more public domain, but a small company domain should be safe shouldn't it? I am running in to this HELO problem with large amount of our client's domains which is frustrating for our users and for outside clients as well. This seems to be a new problem stemming from our recent server update. Since the HELO statement is not necessarily reliable and apparently many times the servers internal host name, would it make since to not perform this check and rely more on the reverse dns?

[Bill Brock]

This is only a problem when RFC are not followed. Anyone setting up a domain and a mail server or web server or any other service should take it upon themselves to learn how to do it right. If they are not going to take the time to do it right then they shouldn't do it at all!

I work hard to make sure my IT is done correctly and it irks me when others don't. That is one of the main reason why the Internet has so many problems today.

[Bill Brock]

I've read in the forum where Zimbra reverse DNS's. I have two ZCS mail servers running. One reverse DNS's to its HELO name the other to its generic ISP's name. I have no trouble with either server sending mail. I believe ZCS looks for the MX and A records and then simply any revers DNS entry to make sure the host exists in the Internet properly.

All three, MX, A-record, and reverse DNS are such basic Internet principles that to not set them up properly is egregious.