Hello - I do have quite the same problem.
My system details and current status:
- I am running ispCP RC7 on Debian Etch.
- I have additionally installed the SSL services and also Maia following the howtos.
- The debugging of email howto gives me the impression of everything working properly so far.
- Most of my users enjoy having spam-free mailboxes now ... but some complain about not receiving certain emails at all.
Reading the logs I found smtp-rejects on "helo/hostname mismatch" which I could reproduce with telnet from a remote linux box - and following google all this seems to be a very common and mostly wanted behaviour as it is caused by malformed HELO or something.
Anyway I changed my /etc/postfix/main.cf as follows:
Code:
smtpd_helo_restrictions = permit_mynetworks,
permit_sasl_authenticated
# reject_invalid_helo_hostname
# reject_non_fqdn_helo_hostname
Eventhough now I cannot reproduce the reject by telnet anymore it obviously didn't take the intended effect as policyd-weight still causes rejects (/var/log/mail.log):
Type I - exchange server sending email:
Code:
Apr 20 12:14:02 ix012 postfix/smtpd[17670]: connect from 135.sub194.dcf.nl[83.136.194.135]
Apr 20 12:14:15 ix012 postfix/policyd-weight[23844]: weighted check: DYN_NJABL=ERR NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=ERR CL_IP_NE_HELO=1.5 RESOLVED_IP_IS_NOT_HELO=1.5 (check from: .prinsdokkum. - helo: .nt1.ntzone. - helo-domain: .ntzone.) FROM_NOT_FAILED_HELO(DOMAIN)=3 <client=83.136.194.135> <helo=nt1.ntzone.local> <from=w.schuster@#DOMAIN-B#> <to=markus.bachmann@#DOMAIN-A#>, rate: 1.5
Apr 20 12:14:15 ix012 postfix/policyd-weight[23844]: decided action=550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: nt1.ntzone.local, MTA hostname: 135.sub194.dcf.nl[83.136.194.135] (helo/hostname mismatch)
Apr 20 12:14:15 ix012 postfix/smtpd[17670]: NOQUEUE: reject: RCPT from 135.sub194.dcf.nl[83.136.194.135]: 550 5.7.1 <markus.bachmann@#DOMAIN-A#>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: nt1.ntzone.local, MTA hostname: 135.sub194.dcf.nl[83.136.194.135] (helo/hostname mismatch); from=<w.schuster@#DOMAIN-B#> to=<markus.bachmann@#DOMAIN-A#> proto=ESMTP helo=<NT1.ntzone.local>
Apr 20 12:14:15 ix012 postfix/smtpd[17670]: disconnect from 135.sub194.dcf.nl[83.136.194.135]
Type II - external script sending email (from dynamic IP):
Code:
Apr 20 14:23:00 ix012 postfix/smtpd[5166]: connect from p579CE60B.dip.t-dialin.net[87.156.230.11]
Apr 20 14:23:00 ix012 postfix/smtpd[5166]: warning: p579CE60B.dip.t-dialin.net[87.156.230.11]: SASL ntlm authentication failed: authentication failure
Apr 20 14:23:00 ix012 postfix/smtpd[5166]: warning: p579CE60B.dip.t-dialin.net[87.156.230.11]: SASL login authentication failed: authentication failure
Apr 20 14:23:13 ix012 postfix/policyd-weight[3295]: weighted check: DYN_NJABL=ERR NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=ERR CL_IP_NE_HELO=1.5 RESOLVED_IP_IS_NOT_HELO=1.5 HELO_NUMERIC=1.5 (check from: .com-part. - helo: .andyx8. - helo-domain: .andyx8.) FROM_NOT_FAILED_HELO(DOMAIN)=3 <client=87.156.230.11> <helo=andyx8> <from=registrierung@#DOMAIN-B#> <to=am@#DOMAIN-A#>, rate: 3
Apr 20 14:23:13 ix012 postfix/policyd-weight[3295]: decided action=550 Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: andyx8, MTA hostname: p579ce60b.dip.t-dialin.net[87.156.230.11] (helo/hostname mismatch)
Apr 20 14:23:13 ix012 postfix/smtpd[5166]: NOQUEUE: reject: RCPT from p579CE60B.dip.t-dialin.net[87.156.230.11]: 550 5.7.1 <am@#DOMAIN-A#>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: andyx8, MTA hostname: p579ce60b.dip.t-dialin.net[87.156.230.11] (helo/hostname mismatch); from=<registrierung@#DOMAIN-B#> to=<am@#DOMAIN-A#> proto=ESMTP helo=<AndyX8>
Apr 20 14:23:13 ix012 postfix/smtpd[5166]: lost connection after RCPT from p579CE60B.dip.t-dialin.net[87.156.230.11]
Apr 20 14:23:13 ix012 postfix/smtpd[5166]: disconnect from p579CE60B.dip.t-dialin.net[87.156.230.11]
Note: In this log snipplets I replaced the domain names by #DOMAIN-A# and #DOMAIN-B# and changed real names.
My questions (from most to least important):
- Do I have to fully deactivate policyd-weight or can I make further modifications to only prevent from rejecting these mismatches? I wouldn't mind if emails were marked as spam if at least not rejected
- What is the difference of reject_invalid_helo_hostname and reject_non_fqdn_helo_hostname?
- Why do I have authentication failures (e.g. with scripts using .NET trying to send email - see Type II, two warnings)?
Any help would be very much appreciated!