Force Postfix to allow empty HELO/EHLO commands

Written by - 0 comments

Published on September 22nd 2016 - Listed in Mail Linux


As I previously wrote, I was working on a central SMTP relay system for internal servers. I came across a strange problem today, when a client couldn't send any mails.

After activating that particular client (10.10.44.20) in the debug_peer_list, I found the following information in the mail logs:

postfix/smtpd[9045]: connect from unknown[10.10.44.20]
postfix/smtpd[9045]: match_hostaddr: smtpd_client_event_limit_exceptions: 10.10.44.20 ~? cidr:/etc/postfix/networks(0,lock|utf8_request)
postfix/smtpd[9045]: dict_cidr_lookup: /etc/postfix/networks: 10.10.44.20
postfix/smtpd[9045]: > unknown[10.10.44.20]: 220 inf-smtp01-p.nzzmg.ch ESMTP Postfix (Ubuntu)
postfix/smtpd[9045]: < unknown[10.10.44.20]: HELO
postfix/smtpd[9045]: > unknown[10.10.44.20]: 501 Syntax: HELO hostname
postfix/smtpd[9045]: < unknown[10.10.44.20]: QUIT
postfix/smtpd[9045]: > unknown[10.10.44.20]: 221 2.0.0 Bye
postfix/smtpd[9045]: match_hostaddr: smtpd_client_event_limit_exceptions: 10.10.44.20 ~? cidr:/etc/postfix/networks(0,lock|utf8_request)
postfix/smtpd[9045]: dict_cidr_lookup: /etc/postfix/networks: 10.10.44.20

Interestingly, the client didn't send any value after the HELO command. That's a must according to the basic SMTP rules!

Without deeper explanation into the who and why's, I added a workaround into Postfix to allow such empty HELO commands. Or better said: I told Postfix to rewrite the faulty SMTP command.

This can be done by using smtpd_command_filter in /etc/postfix/main.cf:

smtpd_command_filter = pcre:/etc/postfix/command_filter

In order to use pcre tables, the pcre postfix module must first be installed:

apt-get install postfix-pcre

Within the /etc/postfix/command_filter file, I used the exact same example as mentioned in the official Postfix documentation for smtpd_command_filter:

# Work around clients that send malformed HELO commands.
/^HELO\s*$/ HELO domain.invalid

The empty HELO can now be tested manually with telnet:

$ telnet centralmailrelay.example.com 25
Trying xxx.xxx.xxx.xxx...
Connected to centralmailrelay.example.com.
Escape character is '^]'.
220 mail1.example.com ESMTP Postfix (Ubuntu)
HELO
250 mail1.example.com
quit
221 2.0.0 Bye
Connection closed by foreign host.

Yes. Works.

But, as mentioned, this should be fixed on the client as this is SMTP basics.


Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.