Why does SMTP fail for some users: Helo command rejected

By default, OS X Servers expect a fully qualified domain name (FQDN) as a greeting (helo) for all SMTP connections.
The server expects:

helo mail.mydomain.com

Many apps (Outlook and some phones) don’t send a FQDN and instead send something like:

helo computer1

The server will reject this connection, and you will see this in your server’s mail.log:

Helo command rejected: need fully-qualified hostname

To resolve the issue

OS X Server 10.8

Check your current helo restrictions with:

sudo postconf -c /Library/Server/Mail/Config/postfix/ smtpd_helo_restrictions

Your results will likely be:

smtpd_helo_restrictions = reject_non_fqdn_helo_hostname reject_invalid_helo_hostname

We’d like to allow local-lan and smtp-authenticated users to bypass the restriction, so we allow their access before the reject lines.
Issue this to fix:

postconf -c /Library/Server/Mail/Config/postfix/ -e "smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_helo_hostname reject_invalid_helo_hostname"

Then activate the change with:

sudo postfix reload

OS X Server 10.5 – 10.7

Check your current helo restrictions with:

sudo postconf smtpd_helo_restrictions

Look at your results.. You’ll probably want to keep the same restrictions but add permit_mynetworks and permis_sasl_authenticated before the reject lines.
If you had only these restrictions “reject_non_fqdn_helo_hostname reject_invalid_helo_hostname”, then you would issue:

postconf -e "smtpd_helo_restrictions = permit_mynetworks permit_sasl_authenticated reject_non_fqdn_helo_hostname reject_invalid_helo_hostname"

Then activate the change with:

sudo postfix reload
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.