Further to our discussion on Tuesday night:

As a wonderful local example, I’ve just discovered that with postfix, enforcing valid HELO hostnames (which really isn’t all that stringent a check!) prevents the Winnipeg Free Press’ website from emailing me.  It seems registering on the website causes the registration-confirmation email to be sent from “clickability.com” (aka Limelight’s “Dynamic Site Platform”).  OK, fine.  They even have reverse DNS set up correctly.  But their outbound MX host identified itself as “la-mailout1.clickability.com”.  No such A record exists, so postfix immediately rejects the message at the HELO stage.

FWIW, the host connecting to me is “dv-mailout1.clickability.com”, which correctly resolves forward and reverse.

For anyone who’s interested, my Postfix main.cf reads, in part:

smtpd_helo_restrictions =

        permit_inet_interfaces,

        permit_mynetworks,

        permit_sasl_authenticated,

        check_helo_access hash:/etc/postfix/client_access,

        reject_invalid_helo_hostname,

        reject_non_fqdn_helo_hostname,

        reject_unknown_helo_hostname,

        reject_unauth_pipelining,

        reject_rhsbl_helo zen.spamhaus.org

but adding:

dv-mailout1.clickability.com    OK

la-mailout1.clickability.com    OK

208.80.58.240   OK

to /etc/postfix/client_access (and remembering to run postmap on it) eventually convinces Postfix to let this message in.  (But typically not immediately, which I still don’t understand.  Ideas?)  Only one of those lines should be necessary, but I’ve never figured out which one :-).

-Adam Thompson

athompso@athompso.net