Though I must admit insisting on at least a fully qualified hostname makes some people angry. And I rarely get any thanks for notifying fellow admins that they don’t know how to do their jobs…

There are a few false positives with reject_non_fqdn_hostname, but not more than I can live with. I usually notify the senders I and my customers want to receive mail from.

HELO_(SUB)_DOMAIN == Client IP/16/24/32 ||
SENDER_(SUB)_DOMAIN == Client IP/16/24/32

then: HELO OK
else: HELO NOT OK, check this with reverse records, and so on;

additionally it weights it with RBL/RHSBL results

We say HELO (NOT OK|OK) here because it is a little bit hard to differenciate scriptwise between HELO and sender envelope for “reporting”.

The reason for this check is, that we could do this also with SPF, but SPF breaks forwarding, policyd-weight doesn’t as either the HELO _should_ match, and as a backup we check whether the sender domain matches. As a very last resort we also check the reverse records.

Another reason for policyd-weight was, that reject_unknown_*, reject_rbl_client and others produced way too much false positives as postfix restrictions are on a 1|0 base. Either ok, or not ok.

And I expect legit mail to be rejected with reject_non_fqdn_hostname. But the check is not expensive in terms of time. And it cuts down on the number of lookups done with policyd-weight. While I was testing (using warn_if_reject in front of the restriction), I found that most of the mail that would have been rejected with the reject_non_fqdn_hostname check was in fact rejected by policyd-weight.

And servers that use non-qualified domains as HELO’s really need to grow up.

However, when I did exactly that (ie reject based on no-good HELO), I was confronted with a ton of false positives - otherwise perfectly legit mail servers that either had no rDNS, or that HELOed with an name that only made sense behind some firewall/router, or unqualified hostnames…

Additionally, DNS problems (timeouts etc) may impact the whole setup as well.

The trade-off between efficiency, accuracy, reliability and administration effort was just not right for my systems.

If you’re not blocking hosts without matching reverse DNS outright, this might not be a bad check to apply to them. If there’s no reverse, make sure the HELO host resolves to the client IP. If that fails, reject the connection with:

450 cannot find your hostname — and we really tried, too

:-)

Even the relatively conservative reject_invalid_hostname will catch a lot of mail sent through PIXes…

There are very few HELO checks you can do that don’t have false positives. About the best you can do is choose some with minimal false positives, put them after a check_recipient_access call allowing mail to postmaster, etc., and hope that the few legitimate senders will either fix their problem or contact you to be whitelisted…