Wednesday, November 26, 2014

outlook - Postfix: Recipient address rejected: Invalid HELO/EHLO



The problem seems to be the MS Outlook 2007 not sending SMTP AUTH for some strange reason for only one specific domain.



I run iRedMail server (it's using stock debian 7/wheezy, postfix 2.9.6-2) for my domain and few dozens of client domains.
The problem is I have a client unable to send email to myself (not just my email but the whole domain) - it gets rejected due reject_non_fqdn_helo_hostname but the client is using SMTP AUTH and has it correctly set, so it should bypass the FQDN check. It just looks like the MUA is not using SMTP AUTH only for my and my coleaques email addresses.




Has anyone seen this before? How can I workaround this problem? Any input is highly appreciated!



Could it be it's connected to MUA? She is using Outlook (not Express)?



Have a look on following snips of logs showing different situations. All was catched in the same configuration/same MUA/IP's, ...:



1) this is OK: My client sends email to third party server; using SMTP AUTH





May 28 13:02:13 email2 postfix/smtpd[1191]: connect from 
May 28 13:02:13 email2 postfix/smtpd[1191]: 28A5D35E61DC: client=, sasl_method=LOGIN, sasl_username=
May 28 13:02:26 email2 postfix/cleanup[1435]: 28A5D35E61DC: message-id=<006c01ce5b92$d33805e0$79a811a0$@cz>
May 28 13:02:44 email2 postfix/qmgr[376]: 28A5D35E61DC: from=, size=4392922, nrcpt=7 (queue active)
May 28 13:02:44 email2 postfix/smtp[1580]: 28A5D35E61DC: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=32, delays=31/0/0/0.88, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as B061435E61DE)
May 28 13:02:47 email2 postfix/qmgr[376]: 28A5D35E61DC: removed


2) this is OK:
My client sends email to local account (hers coleque); she is using SMTP AUTH





May 28 13:06:18 email2 postfix/smtpd[2519]: connect from 
May 28 13:06:18 email2 postfix/smtpd[2519]: 49CE735E61D4: client=, sasl_method=LOGIN, sasl_username=
May 28 13:06:18 email2 postfix/cleanup[429]: 49CE735E61D4: message-id=<007201ce5b93$5df069c0$19d13d40$@cz>
May 28 13:06:19 email2 postfix/qmgr[376]: 49CE735E61D4: from=, size=10875, nrcpt=1 (queue active)
May 28 13:06:19 email2 postfix/smtp[2295]: 49CE735E61D4: to=, relay=127.0.0.1[127.0.0.1]:10024, delay=1.6, delays=1.2/0/0/0.43, dsn=2.0.0, status=sent (250 2.0.0 from MTA(smtp:[127.0.0.1]:10025): 250 2.0.0 Ok: queued as CC61F35E61D7)
May 28 13:06:19 email2 postfix/qmgr[376]: 49CE735E61D4: removed



3) problem, email sent to my account (same server, but different domain), NOT using SMTP AUTH???:




May 28 13:04:38 email2 postfix/smtpd[1433]: connect from 
May 28 13:04:38 email2 postfix/smtpd[1433]: NOQUEUE: reject: RCPT from : 554 5.7.1 >: Recipient address rejected: Invalid HELO/EHLO; Must be a FQDN or an address literal, not 'xxx'; from= to= proto=ESMTP helo=
May 28 13:04:41 email2 postfix/smtpd[1433]: disconnect from


Part of postfix configuration:





smtpd_sender_restrictions = permit_mynetworks,
                            reject_authenticated_sender_login_mismatch,
                            permit_sasl_authenticated
smtpd_recipient_restrictions = reject_unknown_sender_domain,
                               reject_unknown_recipient_domain,
                               reject_non_fqdn_sender,
                               reject_non_fqdn_recipient,
                               reject_unlisted_recipient,
                               check_policy_service inet:127.0.0.1:7777,

                               check_policy_service inet:127.0.0.1:10031,
                               permit_mynetworks,
                               permit_sasl_authenticated,
                               reject_unauth_destination
smtpd_helo_restrictions = permit_mynetworks,
                          permit_sasl_authenticated,
                          reject_non_fqdn_helo_hostname,
                          reject_invalid_helo_hostname,
                          check_helo_access pcre:/etc/postfix/helo_access.pcre



See output of postconf and cat main.cfg


Answer



The problem was in the policyd (cluebringer)... it was not seen from the log for the first look, that reject was not from postfix restriction but from the policyd.



Background



I had in cluebringers group internal_domains only my primary domain (after install) and all new domains wasn't there... To solve the problem I decided to empty the internal_domains and everything works as expected now.



Thank you for all your help!



-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...