Header RSS Feed
If you only want to see the articles of a certain category, please click on the desired category below:
ALL Android Backup BSD Database Hacks Hardware Internet Linux Mail MySQL Monitoring Network Personal PHP Proxy Shell Solaris Unix Virtualization VMware Windows Wyse

Force Postfix to allow empty HELO/EHLO commands
Thursday - Sep 22nd 2016 - by - (0 comments)

As I previously wrote, I was working on a central SMTP relay system for internal servers. I came across a strange problem today, when a client couldn't send any mails.

After activating that particular client ( in the debug_peer_list, I found the following information in the mail logs:

postfix/smtpd[9045]: connect from unknown[]
postfix/smtpd[9045]: match_hostaddr: smtpd_client_event_limit_exceptions: ~? cidr:/etc/postfix/networks(0,lock|utf8_request)
postfix/smtpd[9045]: dict_cidr_lookup: /etc/postfix/networks:
postfix/smtpd[9045]: > unknown[]: 220 inf-smtp01-p.nzzmg.ch ESMTP Postfix (Ubuntu)
postfix/smtpd[9045]: < unknown[]: HELO
postfix/smtpd[9045]: > unknown[]: 501 Syntax: HELO hostname
postfix/smtpd[9045]: < unknown[]: QUIT
postfix/smtpd[9045]: > unknown[]: 221 2.0.0 Bye
postfix/smtpd[9045]: match_hostaddr: smtpd_client_event_limit_exceptions: ~? cidr:/etc/postfix/networks(0,lock|utf8_request)
postfix/smtpd[9045]: dict_cidr_lookup: /etc/postfix/networks:

Interestingly, the client didn't send any value after the HELO command. That's a must according to the basic SMTP rules!

Without deeper explanation into the who and why's, I added a workaround into Postfix to allow such empty HELO commands. Or better said: I told Postfix to rewrite the faulty SMTP command.

This can be done by using smtpd_command_filter in /etc/postfix/main.cf:

smtpd_command_filter = pcre:/etc/postfix/command_filter

In order to use pcre tables, the pcre postfix module must first be installed:

apt-get install postfix-pcre

Within the /etc/postfix/command_filter file, I used the exact same example as mentioned in the official Postfix documentation for smtpd_command_filter:

# Work around clients that send malformed HELO commands.
/^HELO\s*$/ HELO domain.invalid

The empty HELO can now be tested manually with telnet:

$ telnet centralmailrelay.example.com 25
Trying xxx.xxx.xxx.xxx...
Connected to centralmailrelay.example.com.
Escape character is '^]'.
220 mail1.example.com ESMTP Postfix (Ubuntu)
250 mail1.example.com
221 2.0.0 Bye
Connection closed by foreign host.

Yes. Works.

But, as mentioned, this should be fixed on the client as this is SMTP basics.


Add a comment

Show form to leave a comment

Comments (newest first):

No comments yet.

Go to Homepage home
Linux Howtos how to's
Monitoring Plugins monitoring plugins
Links links

Valid HTML 4.01 Transitional
Valid CSS!
[Valid RSS]

6938 Days
until Death of Computers