On a Postfix email server with paranoid HELO security your clients might contact you because they are not getting email. Upon examining the email log file you stumble across the following message:
# journalctl | grep "sender-domain.com" Jul 15 10:08:18 host postfix/smtpd[19117]: NOQUEUE: reject: RCPT from smtpout1.mo3004.mail-out.ovh.net[79.137.123.219]: 554 5.7.1 <smtpout1.mo3004.mail-out.ovh.net>: Helo command rejected: ACCESS DENIED. Unknown (ovh.net); from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<smtpout1.mo3004.mail-out.ovh.net>
The paranoid SMTP helo restrictions are outlined below, and the culprit is most likely `reject_invalid_helo_hostname`
smtpd_helo_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_non_fqdn_helo_hostname, reject_invalid_helo_hostname, check_helo_access pcre:/etc/postfix/helo_access.pcre
Our suggestion is to avoid these paranoid settings because clients do not take it lightly if email isn’t received and this leads to a lot of specialized support.
Edit the line in /etc/postfix/main.cf and comment it out using a #. Then `service postfix reload`
More Information
You might even find a more extreme message such as below in your log file:
Jul 24 23:36:10 host postfix/smtpd[9817]: NOQUEUE: reject: RCPT from mail146.transactional.voxtelecom.eversrv.com[69.63.146.146]: 554 5.7.1 <mail146.transactional.voxtelecom.co.za.eversrv.com>: Helo command rejected: ACCESS DENIED. Evil marketing companies who never asked permission to email here (eversrv.com); from=<trans.60fc871c25446ff4eb0c1a97.1682.ARuOyJkVZGXIH2Mv.2@eversrv.voxtelecom.co.za> to=<[email protected]> proto=ESMTP helo=<mail146.transactional.voxtelecom.co.za.eversrv.com>
This particular failure would be in /etc/postfix/helo_access.pcre
/(eversrv\.com)$/ REJECT ACCESS DENIED. Evil marketing companies who never asked permission to email here (${1})
But if you uncommented the line check_helo_access or the entire smtpd_helo_restrictions section this problem will also go away, with the disadvantage were these some really legit spammers they are now free to deliver email.