Force Postfix to allow empty HELO/EHLO commands

Written by - 0 comments

Published on - Listed in Mail Linux


As I previously wrote, I was working on a central SMTP relay system for internal servers. I came across a strange problem today, when a client couldn't send any mails.

After activating that particular client (10.10.44.20) in the debug_peer_list, I found the following information in the mail logs:

postfix/smtpd[9045]: connect from unknown[10.10.44.20]
postfix/smtpd[9045]: match_hostaddr: smtpd_client_event_limit_exceptions: 10.10.44.20 ~? cidr:/etc/postfix/networks(0,lock|utf8_request)
postfix/smtpd[9045]: dict_cidr_lookup: /etc/postfix/networks: 10.10.44.20
postfix/smtpd[9045]: > unknown[10.10.44.20]: 220 inf-smtp01-p.nzzmg.ch ESMTP Postfix (Ubuntu)
postfix/smtpd[9045]: < unknown[10.10.44.20]: HELO
postfix/smtpd[9045]: > unknown[10.10.44.20]: 501 Syntax: HELO hostname
postfix/smtpd[9045]: < unknown[10.10.44.20]: QUIT
postfix/smtpd[9045]: > unknown[10.10.44.20]: 221 2.0.0 Bye
postfix/smtpd[9045]: match_hostaddr: smtpd_client_event_limit_exceptions: 10.10.44.20 ~? cidr:/etc/postfix/networks(0,lock|utf8_request)
postfix/smtpd[9045]: dict_cidr_lookup: /etc/postfix/networks: 10.10.44.20

Interestingly, the client didn't send any value after the HELO command. That's a must according to the basic SMTP rules!

Without deeper explanation into the who and why's, I added a workaround into Postfix to allow such empty HELO commands. Or better said: I told Postfix to rewrite the faulty SMTP command.

This can be done by using smtpd_command_filter in /etc/postfix/main.cf:

smtpd_command_filter = pcre:/etc/postfix/command_filter

In order to use pcre tables, the pcre postfix module must first be installed:

apt-get install postfix-pcre

Within the /etc/postfix/command_filter file, I used the exact same example as mentioned in the official Postfix documentation for smtpd_command_filter:

# Work around clients that send malformed HELO commands.
/^HELO\s*$/ HELO domain.invalid

The empty HELO can now be tested manually with telnet:

$ telnet centralmailrelay.example.com 25
Trying xxx.xxx.xxx.xxx...
Connected to centralmailrelay.example.com.
Escape character is '^]'.
220 mail1.example.com ESMTP Postfix (Ubuntu)
HELO
250 mail1.example.com
quit
221 2.0.0 Bye
Connection closed by foreign host.

Yes. Works.

But, as mentioned, this should be fixed on the client as this is SMTP basics.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Observability   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder