[SOLVED] Allow internal IP address to connect with empty HELO

L

larsen

Well-Known Member
Feb 28, 2020
160
19
58
We have an internal HP MSA2040 SAN where I can configure email settings to send notifications, but unfortunately the system doesn't allow to configure any other port than 25. As the system doesn't send a HELO, connections are denied:

Code: 
postfix/postscreen[58745]: CONNECT from [192.168.120.27]:47681 to [192.168.120.5]:25
postfix/postscreen[58745]: WHITELISTED [192.168.120.27]:47681
postfix/smtpd[58746]: connect from unknown[192.168.120.27]
postfix/smtpd[58746]: NOQUEUE: reject: RCPT from unknown[192.168.120.27]: 504 5.5.2 <none>: Helo command rejected: need fully-qualified hostname; from=<msa2040@example.com> to=<jdoe@example.com> proto=ESMTP helo=<none>
postfix/smtpd[58746]: disconnect from unknown[192.168.120.27] ehlo=1 mail=1 rcpt=0/1 data=0/1 noop=1 quit=1 commands=4/6

I have added 192.168.120.27/32 as a trusted network, but that is not sufficient. How can I allow connections from that IP (not generally) without a HELO?
 
As you're using a fixed IP, you can use the firewall to forward from port 25 to port 26 on localhost for that IP only.
So for IP 192.168.120.27 forward any packets that arrive on port 25 on localhost from that IP to port 26 on localhost.


Da es sich hier um eine fixe IP im internen Netz handelt, könntest du per Firewall Regel diese umleiten auf einen anderen Port. Also eingehend von 192.168.120.27 auf Port 25 wird dann von der Firewall auf localhost Port 26 umgeleitet.
 
Last edited:
Very good idea! Solved with this:
iptables -t nat -A PREROUTING -p tcp -s 192.168.120.27 --dport 25 -j REDIRECT --to-ports 26
(Persistance via Webmin to manage the firewall rules)

Thanks!
 
Sorry, for some reason I replied in German. Sometimes mixups do happen when you provide support in both languages and mix them all day.

I've edited the post above to include the english version of the text.
 
No problem, German is my native language. Just prefer to communicate in English so more other users can potentially benefit from it.
 
You must log in or register to reply here.
Top Bottom