View previous topic :: View next topic |
Author |
Message |
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Thu Apr 29, 2021 8:05 pm Post subject: [solved] iphone sent mails recently rejected |
|
|
Recently updated iphones trying to send mails through my gentoo mailserver started landing in postfix jail of my fail2ban and even with fail2ban stopped the iphones can not send mails anymore. Looking into my mailserver log, it seems to have to do with helo?
For mail which was blocked I see:
450 4.7.1 <smtpclient.apple>: Helo command rejected: Host not found
Tested sending mails with evolution mail client and with android mailclient and they do not seem to send a helo at all.
How can this be fixed? (Apart from not using shitty iPhones)
The mailclients are connfigured with 993 for imap and 465 for smtp. What would you suggest on howto properly handle this? I don't think change postfix server to not bother with forward and reverse lookups on HELO commands is a good idea?
Last edited by Elleni on Fri Apr 30, 2021 10:38 pm; edited 1 time in total |
|
Back to top |
|
|
Banana Veteran
Joined: 21 May 2004 Posts: 1384 Location: Germany
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21607
|
Posted: Fri Apr 30, 2021 3:19 pm Post subject: |
|
|
Working solely from the information provided, it looks to me like the iPhone sends a non-existant hostname, and the mail server does not like it. Configure the iPhone to use a proper hostname, or configure the mailserver to allow bogus hostnames, or configure the mailserver to treat this specific hostname as valid. |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Fri Apr 30, 2021 7:01 pm Post subject: |
|
|
Tried adding to hosts file like this Code: | 127.0.0.1 localhost smtpclient.apple |
Resulting in Code: | LC_ALL=c ping smtpclient.apple
ping: socket: Address family not supported by protocol
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.029 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.033 ms |
But the problem is persisting.
Code: | Apr 30 19:00:15 hostname postfix/smtps/smtpd[18547]: NOQUEUE: reject: RCPT from xyz: 450 4.7.1 <smtpclient.apple>: Helo command rejected: Host not found; from=<sending@email.adress> to=<receiving@emailadress> proto=ESMTP helo=<smtpclient.apple> |
|
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Fri Apr 30, 2021 7:05 pm Post subject: |
|
|
Hu wrote: | Working solely from the information provided, it looks to me like the iPhone sends a non-existant hostname, and the mail server does not like it. Configure the iPhone to use a proper hostname, or configure the mailserver to allow bogus hostnames, or configure the mailserver to treat this specific hostname as valid. |
That iphone was used to send mails for years with its built-in mail app, but only recently - after an ios update - it starting behaving like this. I don't know how it would be possible to change on the iphone, so I'd like to fix this on the server side without weakening it too much. How can the mailserver be configured to treat this specific hostname as valid? The hosts file idea sounded quite apealing but did aparently not work. Is it somewhere in main.cf where this would be configured?
I read here: Quote: |
If you want to reject HELO with bad hostnames, but still allow your users to be able to send even if their clients don't send FQDNs with HELO, you can leave these lines in place as you have them:
Code: | reject_non_fqdn_helo_hostname,
reject_invalid_helo_hostname,
|
But make sure they are preceded by:
Code: | permit_sasl_authenticated, |
This way, when one of your users authenticates, they'll be permitted to send email regardless of the validity of their HELO command, and only non-authenticated connections (which should only be other SMTP servers relaying mail to you, because you're obviously requiring all of your users to authenticate, right?) will be subject to the valid HELO requirement. |
But how would I correctly modify my main.cf? I hesitate to modify my main.cf as I fear to break the mailserver, so I thought better ask then sorry. Could that work? Or how would you fix this? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21607
|
Posted: Fri Apr 30, 2021 9:32 pm Post subject: |
|
|
I'd get a better behaved mail client. Sorry, I don't have more specific advice on how to tell the mailserver to tolerate this. |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Fri Apr 30, 2021 10:34 pm Post subject: |
|
|
I do not use iPhones anyway Its my brother and my wife using them, and WAF you know
Anyway - tried adding permit_sasl_authenticated additionally right before the two rejetct_helo entries as suggested in the linked post above. After that I had to cleanup fail2ban as many ips had landed in postfix, postfix-sasl and postfix-auth jails because of those updated iphones. |
|
Back to top |
|
|
|