7

I am using Postfix as an internal mail relay server, and we have several servers internally running all sorts of custom code, some are packages/services, and some of it is native Linux or Windows system services that use this/these systems to communicate as a mail relay.

The problem I'm encountering is that I am working on cleaning up the server HELO names that they are communicating to the server as when sending mail, some are localhost.localdomain for example and it's hurting our IP reputation (blacklists/etc)

I installed pflogsumm which has been a great help, but I really wish there was a way I could get a list of IPs that are connecting to this server and the corresponding HELOs that the IPs are making (or their servernames that they are reporting as if you know what I mean).

If anyone knows how I can get this information from Postfix that would be great, a bonus would be able to expose this to pflogsumm so that I can view it in my daily mail report. Thank you!

Keegan Jacobson
  • 183
  • 1
  • 10

1 Answers1

5

Wietse Venema (author of Postfix) gave this answer to a question asked in 2012 on the postfix-users mailinglist:

warn_if_reject check_helo_access static:reject

It is probably current, give it a try.

Update

I gave it a try:

First of all the configuration needs to be made in the smtpd_helo_restrictions configuration directive.

smtpd_helo_restrictions = warn_if_reject check_helo_access static:reject

This will result in log entries of the following sort:

Oct 16 00:12:45 vega postfix/smtpd[6676]: NOQUEUE: reject_warning: RCPT from unknown[xxxx:xxxx:xxxx::x]: 554 5.7.1 <test>: Helo command rejected: Access denied; from=<anybody@example.com> to=<somebody@example.com> proto=SMTP helo=<test>

In this case I used test in the HELO command of the SMTP connection. With this being a reject_warning, pflogsumm will have probably no problem summarizing this.

Joffrey
  • 2,021
  • 1
  • 12
  • 14
  • Thank you so much for a detailed response, I'm excited to try it and will report back! Much appreciated and have a great day. – Keegan Jacobson Oct 16 '15 at 13:50
  • I got this error `postfix: fatal: /etc/postfix/main.cf, line 44: missing '=' after attribute name: "smtpd_helo_restrictions warn_if_reject check_helo_access static:reject"` but it was simple enough to understand that it needed to be `smtpd_helo_restrictions = warn_if_reject check_helo_access static:reject` – Keegan Jacobson Oct 16 '15 at 14:05
  • 1
    Oh, my bad in copy-paste... I will fix this in my answer! – Joffrey Oct 16 '15 at 15:15
  • No worries! It works pretty much perfectly from what I can tell as far as testing it goes, but there is one small issue related to pflogsumm. When checking the pflogsumm mail statistics report this is what the lines read, it's *almost* right: `RCPT` `Helo command rejected: Access denied (total: 2)` `1 examplehost.domain.local` `1 10.10.10.10` So I tested it with two different hosts, but the problem is that if examplehost.domain.local was something like "localhost.localdomain" in the pflogsumm report it wouldn't correlate to an IP address. If that makes sense – Keegan Jacobson Oct 16 '15 at 15:46
  • 1
    It makes sense, for a log analyzer there is no need to display the fqdn and the ip address at the same time. You will probably need to adjust the code of pflogsumm for this. – Joffrey Oct 17 '15 at 07:15
  • Unfortunately, the solution presented here results in emails from my mail client (Thunderbird) getting rejected by my own mail server because Thunderbird sends the LAN IP address as HELO host. :( – balu May 19 '22 at 12:14