Hey people, I'm looking for opinions on the best practice for configuring my firewalls and/or Zimbra so I can get security notices from the firewalls.

My firewall is capable of sending out both notices of failed logins, intrusions, etc, and also backup files to an email address I specify. This feature uses a SMTP engine (Exim) built right into the firewall to kick the notices out, and they go out through the WAN IP of the box. If I send them to a nearly-unfiltered account I have elsewhere (not on Zimbra) the messages come thru, even with Fetchmail grabbing them down to a Zimbra account. However, if I direct these same messages to an account on my Zimbra box, they are rejected by Postfix:
Feb 26 11:23:35 mail postfix/smtpd[24845]: NOQUEUE: reject: RCPT from unknown[XXX.XXX.XXX.XXX]: 504 <firewall-hostname>: Helo command rejected: need fully-qualified hostname; fro
m=<do-not-reply@fw-notify.net> to=<myaddress> proto=ESMTP helo=<firewall-hostname>
I know WHY this is happening--I have the various MTA restrictions turned on, including:
  • reject_invalid_hostname
  • reject_non_fqdn_hostname
  • reject_non_fqdn_sender
  • reject_unknown_sender_domain
And guess what, it's following my instructions to the letter! I don't really want to turn these features off because they stop a lot of trash, but I DO want to get my firewall notices. I can see a couple less-than-desirable options:
  1. Add the WAN IP addresses of my "Allowed senders" relay list. My concern with this is that I don't much like to have a relay open to ANY public IPs
  2. Register my WAN IPs in a DNS I control. I don't much like putting the gateways to my networks in a phone book. . .seems kinda like inviting trouble.
  3. There ought to be a way to whitelist the addresses I create, but my first attempts at whitelisting didn't work--it seems Postfix is rejecting the message before SpamAssassin gets a chance to whitelist it.
Would appreciate any ideas you all might have.