<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-CA link=blue vlink=purple><div class=WordSection1><p class=MsoNormal>Further to our discussion on Tuesday night:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>As a wonderful local example, I’ve just discovered that with postfix, enforcing valid HELO hostnames (which really isn’t all that stringent a check!) prevents the Winnipeg Free Press’ website from emailing me. It seems registering on the website causes the registration-confirmation email to be sent from “clickability.com” (aka Limelight’s “Dynamic Site Platform”). OK, fine. They even have reverse DNS set up correctly. But their outbound MX host identified itself as “la-mailout1.clickability.com”. No such A record exists, so postfix immediately rejects the message at the HELO stage.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>FWIW, the host connecting to me is “dv-mailout1.clickability.com”, which correctly resolves forward and reverse.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>For anyone who’s interested, my Postfix main.cf reads, in part:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'>smtpd_helo_restrictions =<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'> permit_inet_interfaces,<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'> permit_mynetworks,<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'> permit_sasl_authenticated,<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'> check_helo_access hash:/etc/postfix/client_access,<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'> reject_invalid_helo_hostname,<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'> reject_non_fqdn_helo_hostname,<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'> reject_unknown_helo_hostname,<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'> reject_unauth_pipelining,<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'> reject_rhsbl_helo zen.spamhaus.org<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>but adding:<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-left:.5in'>dv-mailout1.clickability.com OK<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>la-mailout1.clickability.com OK<o:p></o:p></p><p class=MsoNormal style='margin-left:.5in'>208.80.58.240 OK<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>to /etc/postfix/client_access (and remembering to run postmap on it) eventually convinces Postfix to let this message in. (But typically not immediately, which I still don’t understand. Ideas?) Only one of those lines should be necessary, but I’ve never figured out which one :-).<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='mso-fareast-language:EN-CA'>-Adam Thompson<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-CA'> athompso@athompso.net<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p></div></body></html>