Recent Comments

Categories

Left sidebar

Postfix and Servers with invalid Helo

July 7, 2022, Code Blog |

I like to keep higher than “normal” security on our email servers. One such setting in Postfix is:

smtpd_helo_required = yes

Along with this setting enabled, you need to specify who is allowed and who should be blocked via:

smtpd_helo_restrictions = [bunch of settings here...]

In this article, I will be discussing:

smtpd_helo_restrictions = permit_mynetworks, check_helo_access regexp:/etc/postfix/helo_access, [other options not discussed]

I think that blocking mail servers that don’t properly have DNS set up is a GOOD thing. There are plenty of servers that don’t meet RFC specifications, many of which are spammers who don’t want their server discoverable via DNS routes. This makes it so that spam originating from them does not return to their server as a bounced email and flood the spammer’s own system. So enabling the smtpd_helo_restrictions blocks a TON of spam.

Inevitably a customer utilizes a service with a badly configured email server and their messages need to get through this blocking mechanism. That’s where the helo_access file is useful. With the configuration above, postfix uses regular expression matching to validate DNS names and IP addresses and allow them to get around the helo_restriction and DNS validation. Set up the file like this.

Say I’m encountering a source server or multiple source servers on IP addresses 50.0.0.1 and 50.0.0.2. Those servers are announcing themselves as mxbox50.bitwiz.net but they have not added an entry in DNS for mxbox50 to resolve to either of those IP addresses. On my receiving server, I open the /etc/postfix/helo_access file with my favorite Linux text editor and add the following lines:

/^50\.0\.0\.1$/ OK
/^50\.0\.0\.2$/ OK
/^mxbox50\.bitwiz\.net$/ OK

Save the file.

Execute the following commands:

[me@mxbox50 me]# postmap /etc/postfix/helo_access
[me@mxbox50 me]# postfix reload

Postfix will now allow the invalid helo response to pass and be delivered. All other badly configured email servers with invalid helo remain blocked.

In regular expressions, /^ starts the thing you’re looking for (a search), a \ will escape the period . character which typically means something else in a regular expression, and $/ finishes or closes the regular expression. This is an example of an exact match regular expression. No other variations will match and pass.