Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Non-Resolving HELO names

  1. #1
    Join Date
    Jun 2007
    Posts
    86
    Rep Power
    8

    Question Non-Resolving HELO names

    We have a client that has a source(sender), which when that source sends our client an email it never gets to the client. !Because!, the source (the sender) has a screwed up mail server setup and it answers with the hello of "beetle", which doesn't resolve to anything.

    Question: How can I tell Zimbra to make an exception for this non-reversing name, without disabling the the "non-resolving" filter globally. The white list function only trains the amavis filters, but this issue is at the MTA level.
    Robert Canary
    OCDirect Electrical-Datacomm

  2. #2
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    Unfortunately you either have this option on and block a ton of mail... spam and non spam messages alike, or you turn this option off and deal with spam another way. There are LOTS of email servers that are improperly configured and respond with only the first part of their host name rather then the proper FQDN.

  3. #3
    Join Date
    Jun 2007
    Posts
    86
    Rep Power
    8

    Default

    We have a Sendmail server that is sourced by LDAP. It uses the access-list in the LDAP server. On it we always include that domain and it would allow the domain all though it did not resolve the HELO name.

    Does Zimbra use the access list on the LDAP server? But then the setup created an LDAP password and I don't know how to get into it. I've seen the CLI to change the password, but I was afraid to change, afraid it would break something.
    Last edited by rwcanary; 10-27-2009 at 08:10 PM. Reason: Spelling Correction
    Robert Canary
    OCDirect Electrical-Datacomm

  4. #4
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    Sorry looks like I forgot to actually specify the option in the config that is blocking that server:
    Global Settings -> MTA tab -> Client must greet with a fully qualified hostname (reject_non_fqdn_hostname)

    As for an LDAP ACL... I don't think so but you can look. The LDAP root password can be found using this command:
    Code:
    zmlocalconfig -s ldap_root_password
    And the root DN I use to connect is
    Code:
    uid=zimbra,cn=admins,cn=zimbra

  5. #5
    Join Date
    Jun 2007
    Posts
    86
    Rep Power
    8

    Default

    I use GQ for easier browsing, but can't figure out what it is wanting for a base DN and the Bind DN.
    Robert Canary
    OCDirect Electrical-Datacomm

  6. #6
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    I would highly recommend that your client fixes their MTA ... If they are sending out to other people aswell then I am pretty sure a lot of their email will not be getting delivered.

    As that is pretty much a given in Postfix configuration the only thing you could do is add a header check prior to reject_non_fqdn_hostname and if it matches their MTA name accept the email. This would be a real fudge when what should happen is that they make their MTA RFC compliant.

  7. #7
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by rwcanary View Post
    We have a client that has a source(sender), which when that source sends our client an email it never gets to the client. !Because!, the source (the sender) has a screwed up mail server setup and it answers with the hello of "beetle", which doesn't resolve to anything.

    Question: How can I tell Zimbra to make an exception for this non-reversing name, without disabling the the "non-resolving" filter globally. The white list function only trains the amavis filters, but this issue is at the MTA level.
    We run a lot of mail servers in addition to Zimbra, and unfortunately I can tell you there are many, many legitimate email servers that don't HELO with their FQDN.

    Consequently, we don't use this test.

    Hope that helps,
    Mark

  8. #8
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Mark,

    It is like somebody sending you a letter and not paying the appropriate postage. Should the recipient pay the difference or the sender ?

    Perhaps bouncing with a 450 to start with asking the sender to make their MTA RFC compliant.

  9. #9
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,374
    Rep Power
    11

    Default

    Quote Originally Posted by uxbod View Post
    Mark,

    It is like somebody sending you a letter and not paying the appropriate postage. Should the recipient pay the difference or the sender ?

    Perhaps bouncing with a 450 to start with asking the sender to make their MTA RFC compliant.

    It actually isn't like that...

    It happens when the MX record is a proxy, load balancing several real mail servers behind it. We see this with Postini and a number of largeISPs with high availability systems.

    It's easy to point to a single Exchange server whose admin never set the smtp greeting properly (and they should), especially when Zimbra sets this for us automatically, but blocking email based on a mismatch between the MX record and the HELO will block tons of legitimate email from systems whose admins won't even return your call.

    Hope that helps,
    Mark

  10. #10
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    So much for having standards then Mark And I do take your comments on board and have seen similar but otherwise how do companies learn.

Similar Threads

  1. Replies: 2
    Last Post: 10-06-2009, 06:53 AM
  2. Remove Account names from GAL
    By g8se in forum Administrators
    Replies: 6
    Last Post: 05-25-2009, 02:38 AM
  3. DNS ERROR resolving ... mewbie
    By ThePulse in forum Installation
    Replies: 11
    Last Post: 09-10-2008, 11:58 AM
  4. zmmailbox and spaces in folder names
    By badrian in forum Administrators
    Replies: 2
    Last Post: 06-28-2007, 12:26 PM
  5. 3 Domain Names .. Single Account
    By freeformz in forum Administrators
    Replies: 1
    Last Post: 03-12-2007, 11:58 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •