HELO processing

proxnoci

Member
Jan 15, 2023
43
4
8
At the moment HELO/EHLO check can be enabled or disabled...
Nice... so far.
Unless one has very simple equipment that cannot be configured to specify the HELO content (PLC's...), yep some are in the wild sending to the external interface.

It would be nice if HELO check could be Enabled/Disabled for specific address ranges/lists.
Can this be done in some other way?
 
Please post the logs of a mail that does not get delivered - then we can see what can be done where.
 
Here is the offending message

Code:
2023-09-20T00:06:08.756720+02:00 mailfilter postfix/smtpd[1258607]: connect from xxxxxxxx.dsl.cambrium.nl[ww.xx.yy.zz]
2023-09-20T00:06:08.784587+02:00 mailfilter postfix/smtpd[1258607]: NOQUEUE: reject: RCPT from xxxxxxx.dsl.cambrium.nl[ww.xx.yy.zz]: 504 5.5.2 <WORLD>: Helo command rejected: need fully-qualified hostname; from=<sendid@sender.domain> to=<priva@somewhere.pmg.works> proto=SMTP helo=<WORLD>
2023-09-20T00:06:08.792948+02:00 mailfilter postfix/smtpd[1258607]: lost connection after RCPT from xxxxxxx.dsl.cambrium.nl[ww.xx.yy.zz]
2023-09-20T00:06:08.793002+02:00 mailfilter postfix/smtpd[1258607]: disconnect from xxxxxxx.dsl.cambrium.nl[ww.xx.yy.zz] helo=1 mail=1 rcpt=0/1 commands=2/3

Disabling HELO checking WILL allow the message to arrive, it also causes more spam needlessly to be checked.
the WORLD word can be changed, but there is no place to get the full reverse lookup address there.
The reverse lookup cannot be changed.

So a way to allow HELO WORLD (or any other configurable short phrase) or to select HELO processing based on an address/network (list).
Also those simple (building management) PLC's cannot be programmed to find their own public address, or all configured manually for each and every address.
A previous dedicated solution is replaced by PMG due to it's SPAM filtering options
 
If validatiing individual SMTP verbs is een issue, is exim a prossible replacement for postfix within PMG?
 
the helo_tests are disabled on the internal port - make sure your PLC's use the internal port of PMG - then everything should just work!
(you need to add the IP-ranges to the trusted networks)


If validatiing individual SMTP verbs is een issue, is exim a prossible replacement for postfix within PMG?
No it's not - PMG is quite tightly integrated with postfix - you can of course use an exim in front of your PMG
 
The systems of concern are OUTSIDE of the system, network, building etc.
Adding another mail proxy in front of PMG somehow obsoletes PMG wouldn't it?
VPN's between the systems and central are not easy if possible to do in 80% of the cases.

so it is Either disabling HELO tests on the "external" port.
Connecting the internal side to the internet... not a concept i would have thought of actually...
Building a complete separate pipeline was something that was to be avoided.
 
@Stoiko Ivanov , may i point you to this article
http://unixwiz.net/techtips/postfix-HELO.html

There one can add specific checks to the HELO processing. like check_helo_access pointing to a list of acceptable items followed with a verdict.
Either OK / REJECT (with or without reason).

What would it take to get this functionality included. (provide/edit a list for helo and verdict + inclusion in pmg).
 
Last edited:
Done that for now, reading the article, i just thought it might be a good feature to have... as one might have specific IPaddresses / hostnames that need to be whitelisted. (And not included in mynetwork...). (slightly better than just have yes/no checking.)
 
I have the impression the /etc/pmg/templates are overwritten by the ones from /var/lib/pmg/templates....., So i even resorted to updating those.
(Overwritten when apt-get update / apt-get ???-upgrade is done.)
 
I have the impression the /etc/pmg/templates are overwritten by the ones from /var/lib/pmg/templates.....,
This is not the case - the templates are taken first from /etc/pmg/templates, and if this does not exist from /var/lib/pmg/templates...
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!