Skip navigation

Outlook: Helo command rejected: need fqdn

3106 Views 23 Replies Latest reply: Sep 28, 2013 8:49 AM by Laird Williams RSS
  • redshift82r Level 2 Level 2 (325 points)
    Currently Being Moderated
    Oct 10, 2012 2:39 PM (in response to angryiphoneuser)

    To make your settings permanent , you have three options.

     

    The least preferred is to make the change to the config file. As you've found, these changes get nuked ever time you make a change via server.app .

     

    Option 2 is to find the default config file , make a copy and then make the change to the default file as well. So in your case, copy main.cf.default to main.cf.default.10.8.2 and then edit main.cf.default as well as main.cf .  This way, when server.app makes the changes , it uses a file that already has the edit.  However, this doesn't protect you from OS X server updates in the future.

     

    The most preferred is to use the tools provided by Apple.

     

    So the easiest and most ( but not guaranteed) future-proof method is to use serveradmin from the command line for those change that can not be made in the server.app GUI.

     

    Any setting you see in serveradmin can be changed by serveradmin command and will be permanent unless you make a change to the same setting via the server.app GUI.

    I.e

     

    $ sudo serveradmin settings mail:postfix:mynetworks:_array_index:0 = 192.168.0.0/16

    I'm pretty sure that the way to specify the range is as follows - 192.168.10.0/8 or 192.168.0.0/16 or 192.0.0.0/24

     

    Should do the trick!

     

    Cheers

    Gerry

  • redshift82r Level 2 Level 2 (325 points)
    Currently Being Moderated
    Oct 12, 2012 2:30 AM (in response to angryiphoneuser)

    Sorry my bad re the tcp mask :)

     

    I helped someone setup Roundcube and managesieve from scratch yesterday and it took around 90 minutes including downloads.  I'm going to take a guess and say that the tcp port that the sieve listens on in 10.8 is different to 10.6 but I guess we'll see!

     

    Gerry

  • redshift82r Level 2 Level 2 (325 points)
    Currently Being Moderated
    Oct 15, 2012 4:04 PM (in response to angryiphoneuser)

    Nick, sorry - don't know - you could try!

     

    Otherwise , make a backup of main.cf.default and make the change to main.cf and main.cf.default and then copy the altered main.cf.default to another backup file - say main.cf.default.myfixes . That way, at worst when you do an operating system upgrade , you may have to copy your altered main.cf.default.myfixes file back to main.cf.default.

     

    Cheers

    Gerry

  • Matt Domenici Level 1 Level 1 (110 points)
    Currently Being Moderated
    Sep 21, 2013 1:58 PM (in response to angryiphoneuser)

    Actually, you can keep the rejection for non-FQDN so long as the "permit_sasl_authenticated" comes first in the helo restrictions.

  • Laird Williams Level 1 Level 1 (0 points)
    Currently Being Moderated
    Sep 28, 2013 8:49 AM (in response to angryiphoneuser)

    The article available here presents a good discussion of how to deal with this robustly and securely. It is related to several of the other suggestions in this thread.

     

    These changes leave the HELO restriction in place unless he user is authenticated or is on the local network.

     

    Note that you also need to set mynetworks appropriately. If, for example, you are on the ubiquitous class C home network 192.168.1.*, then you need to do the following as well:

     

    1) QUIT (not close) Server Admin and open Terminal

    2) Check your current config with this command:      

    sudo postconf -c /Library/Server/Mail/Config/postfix mynetworks

    3) In most cases, you will get back just the following. If you get something more like what is shown in (5), then someone already did this and you can stop.

    mynetworks = 127.0.0.0/8,[::1]/128

    4) If your "mynetworks" looks like the one above, then execute these two commands:

    sudo postconf -c /Library/Server/Mail/Config/postfix -e "mynetworks=127.0.0.0/8,192.168.1.0/24,[::1]/128

     

    sudo postfix reload

    5) Repeat step 2 and you should get this:    

    mynetworks = 127.0.0.0/8,192.168.1.0/24,[::1]/128

     

    Ok - so to be complete, here is the solution from the link above as added steps...


    6) Enter these commands to set postfix to let the FQDN restriction "slide" for local network and authenticated users:

    postconf -e "smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_helo_hostname reject_invalid_helo_hostname"


    sudo postfix reload

     

    I have been running this way for a couple of months (OS X Mountain Lion Server 2.2.1 and now 2.2.2) with no problems having these changes overwritten. This includes surviving a couple of config changes from Server Admin and several reboots.

     

    (I do make the changes using the postconf command in the terminal, and not by hand editing the config files as others are suggesting, although I can't say whether this really makes any difference as far as protection from overwriting.)

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.