need fully-qualified hostname;

Helo command rejected: need fully-qualified hostname; from=<dan@sigmadogs.com> to=<dan@sigmadogs.com> proto=ESMTP helo

I have tried all kinds of things. Any ideas??? This problem occurs when I try to the Outlook account test. The server is now receiving email and can send email if I use mailx. Outside sources appear not to authenticate properly.

/etc/postfix :postconf -n

brokensaslauth_clients = yes

command_directory = /usr/sbin

config_directory = /etc/postfix

daemon_directory = /usr/libexec/postfix

debugpeerlevel = 2

headerchecks = regexp:/etc/postfix/headerchecks

html_directory = no

localdestinationconcurrency_limit = 5

localdestinationrecipient_limit = 300

mail_owner = postfix

mailq_path = /usr/bin/mailq.postfix

manpage_directory = /usr/share/man

mimeheaderchecks = pcre:/etc/postfix/body_checks

mydestination = $myhostname, localhost

mydomain = sigmadogs.com

myhostname = sigmadogs.com

mynetworks_style = host

newaliases_path = /usr/bin/newaliases.postfix

queue_directory = /var/spool/postfix

readmedirectory = /usr/share/doc/postfix-2.3.3/READMEFILES

recipient_delimiter = +

sample_directory = /usr/share/doc/postfix-2.3.3/samples

sendmail_path = /usr/sbin/sendmail.postfix

setgid_group = postdrop

smtpd_banner = $myhostname

smtpdhelorequired = no

smtpdrecipientrestrictions = permitmynetworks, permitsaslauthenticated, rejectnonfqdnhelohostname, rejectinvalidhelohostname, rejectunauthdestination

smtpdsaslauth_enable = no

smtpdsasllocal_domain =

smtpdsaslsecurity_options = noanonymous

soft_bounce = no

unknownlocalrecipientrejectcode = 550

virtualaliasmaps = hash:/etc/postfix/virtual

28 Replies

By "outside sources" do you mean a mail client you're trying to use to send mail? In that case, it's likely that your client is not authenticating properly (incorrect username or password).

Because permitsaslauthenticated appears before rejectnonfqdnhelohostname in the smtpdrecipientrestrictions configuration, any mail client that properly completes SASL authentication will not be subject to the requirement for a fully-qualified hostname.

I am sure of the password. I investigated that first. The problem is that Outlook, only sends the name of the PC which only has a name and not a domain name attached to it.

@daudet:

smtpdsaslauth_enable = no
You haven't set up authentication on your smtpd service. Have you set up a separate submission port? What does postconf -M show?

/etc/postfix :postconf -m

btree

cidr

environ

hash

ldap

mysql

nis

pcre

pgsql

proxy

regexp

static

unix

I am not the one that set this up originally but I am now left to try to fix it. Any help is greatly appreciated.

postconf -m is not postconf -M

postconf: invalid option – 'M'

postconf: fatal: usage: postconf [-a (server SASL types)] [-A (client SASL types)] [-b (bounce templates)] [-c config_dir] [-d (defaults)] [-e (edit)] [-# (comment-out)] [-h (no names)] [-l (lock types)] [-m (map types)] [-n (non-defaults)] [-v] [name…]

/etc/postfix :

Stever, any chance that I could pay you to fix this; as I really need to get this going? As I said, I believe I am 90% of the way there. I just need the external access piece fixed. If you are interested you can contact me at daudet@carolina.rr.com

OK, sorry about the postconf confusion, you must be running an older version of postfix than me.

Try this instead:

grep -v ^# /etc/postfix/master.cf

I can give you pointers but I'm not really qualified to offer paid help. This really isn't my field, I just run my own email server on the side.

If you can go in and fix it, I will be grateful regardless of your qualifications and HAPPY to pay you. I never expected you to be a total expert.

/etc/postfix :grep -v ^# /etc/postfix/master.cf

smtp inet n - - - - smtpd

cleanup unix n - n - 0 cleanup

qmgr fifo n - n 300 1 qmgr

tlsmgr unix - - n 1000? 1 tlsmgr

rewrite unix - - n - - trivial-rewrite

bounce unix - - n - 0 bounce

defer unix - - n - 0 bounce

trace unix - - n - 0 bounce

verify unix - - n - 1 verify

flush unix n - n 1000? 0 flush

proxymap unix - - n - - proxymap

proxywrite unix - - n - 1 proxymap

smtp unix - - n - - smtp

relay unix - - n - - smtp

-o smtpfallbackrelay=

showq unix n - n - - showq

error unix - - n - - error

retry unix - - n - - error

discard unix - - n - - discard

local unix - n n - - local

virtual unix - n n - - virtual

lmtp unix - - n - - lmtp

anvil unix - - n - 1 anvil

scache unix - - n - 1 scache

pickup fifo n - n 60 1 pickup

-o content_filter=

submission inet n - n - - smtpd

-o smtpdenforcetls=yes

-o smtpdsaslauth_enable=yes

-o smtpdclientrestrictions=permitmynetworks,permitsasl_authenticated,reject

dovecot unix - n n - - pipe

flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${user}@${domain}

smtp-amavis unix - - - - 2 smtp

-o smtpdatadone_timeout=1200

-o smtpsendxforward_command=yes

-o disablednslookups=yes

-o max_use=20

127.0.0.1:10025 inet n - - - - smtpd

-o content_filter=

-o localrecipientmaps=

-o relayrecipientmaps=

-o smtpdrestrictionclasses=

-o smtpddelayreject=no

-o smtpdclientrestrictions=permit_mynetworks,reject

-o smtpdhelorestrictions=

-o smtpdsenderrestrictions=

-o smtpdrecipientrestrictions=permit_mynetworks,reject

-o mynetworks_style=host

-o mynetworks=127.0.0.0/8

-o strictrfc821envelopes=yes

-o smtpderrorsleep_time=0

-o smtpdsofterror_limit=1001

-o smtpdharderror_limit=1000

-o smtpdclientconnectioncountlimit=0

-o smtpdclientconnectionratelimit=0

-o receiveoverrideoptions=noheaderbodychecks,nounknownrecipientchecks,noaddressmappings

@daudet:

submission inet n - n - - smtpd

-o smtpdenforcetls=yes

-o smtpdsaslauth_enable=yes

-o smtpdclientrestrictions=permitmynetworks,permitsasl_authenticated,reject
OK, that is what we were looking for. You have the submission port set up for SASL auth. Try setting your outlook client to use port 587 for outgoing smtp.

Using port 587

'Dan' on 6/14/2017 4:11 PM

504 5.5.2 : Helo command rejected: need fully-qualified hostname

I really need to get the domain name check turned off. It should be off due to this…

smtpdhelorequired = no

So I don't get it.

Is it possible that something else in the configuration is overriding this?

@daudet:

smtpdhelorequired = no
That just means the server doesn't require the client to HELO, but if the client does anyway (most will) then it is still subject to whatever checking you have enabled.

That said, I'd agree with the first reply from Vance - I don't see any reason why your server as configured would do any HELO checks on a SASL authenticated connection. Your errors imply that you are not authenticating, so I'd look at that end of things to see where the problem lies. Do you have TLS and authentication enabled for the outgoing SMTP server settings in your outlook client?

Maybe also check your mail log file when you try and send? You'd be looking for something like this:

Jun 15 11:40:36 xxxxx postfix/submission/smtpd[32139]: connect from unknown[xx.xx.xx.xx]
Jun 15 11:40:36 xxxxx postfix/submission/smtpd[32139]: Anonymous TLS connection established from unknown[xx.xx.xx.xx]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
Jun 15 11:40:37 xxxxx postfix/submission/smtpd[32139]: 239C3BCE6: client=unknown[xx.xx.xx.xx], sasl_method=PLAIN, sasl_username=xxxxx

I am indicating that my server requires username and password.

I am not sure what I need to do for TLS?

Jun 15 12:58:48 fido postfix/smtpd[16988]: warning: dictnisinit: NIS domain name not set - NIS lookups disabled

Jun 15 12:58:48 fido postfix/smtpd[16988]: connect from unknown[75.90.50.25]

Jun 15 12:58:48 fido postfix/smtpd[16988]: lost connection after EHLO from unknown[75.90.50.25]

Jun 15 12:58:48 fido postfix/smtpd[16988]: disconnect from unknown[75.90.50.25]

Perhaps I need this?

alias_maps = hash:/etc/aliases

After adding I now get this…

Jun 15 13:04:05 fido postfix/smtpd[17147]: connect from unknown[75.90.50.25]

Jun 15 13:04:05 fido postfix/smtpd[17147]: lost connection after EHLO from unknown[75.90.50.25]

Jun 15 13:04:05 fido postfix/smtpd[17147]: disconnect from unknown[75.90.50.25]

@daudet:

I am indicating that my server requires username and password.

I am not sure what I need to do for TLS?
I haven't used Outlook in ages, but there should be some setting about encryption method for the outgoing server settings.

How do I turn off the requirement for encryption?

@daudet:

How do I turn off the requirement for encryption?
You really shouldn't do that as it will leave your authentication information exposed on the internet.

If you want to do it for testing (or if you just want to ignore my advice), you would comment out the smtpdenforcetls line in master.cf

submission inet n - n - - smtpd
#-o smtpd_enforce_tls=yes

I turned it off. That isnt the problem. The issue appears that it needs to know the domain of the IP address.

I can guarantee that if client authentication is successful, Postfix won't worry about the hostname.

Did you install things by following the Linode guide? Postfix needs a separate SASL provider (Dovecot in the case of the Linode guide) to handle authentication from clients. There is a companion troubleshooting guide as well.

Vance, is there any way, I could pay you to have a look at this? I don't care if you are an expert or not. We could maybe agree that if you make some improvement that I pay and if you don't no harm no foul? I have way too many hours into this already and I am looking to make a couple steps in the right direction.

As I said everything works fine if you are sitting on the server. The only problem as I know it, is with external clients.

I didnt set this up but it appears that I have found a huge problem.

etc/postfix :doveadm user dan

userdb lookup: user dan doesn't exist

When I dug into this further it appears that the database piece wasn't done. I think the person originally working on this, had some way of using a file instead of the database, but I am not seeing how this could have worked. I will wrestle with this until I get the test above to work.

Question here, if I want to get the easy stuff working first before worrying about encryption, what do I need to do with this section…

and where else do I need to change things.

service imap-login {

inet_listener imap {

port = 0

}

inet_listener imaps {

port = 993

ssl = yes

}

service pop3-login {

inet_listener pop3 {

port = 0

}

inet_listener pop3s {

port = 995

ssl = yes

}

}

Has anyone seen this before?

/etc/dovecot/conf.d :service dovecot restart

Stopping Dovecot Imap: [FAILED]

Starting Dovecot Imap: Error: service(auth): unlink(/var/spool/postfix/private/auth) failed: Is a directory

Fatal: Failed to start listeners

[FAILED]

My guess, is that I forgot a parameter after a path somewhere.

I fixed that issue by deleting the directory. However when I try to send an email out from the server with any other user than root, I am now getting this. It could be one of the million changes made today.

Jun 16 16:43:59 fido postfix/sendmail[3610]: fatal: open /etc/postfix/main.cf: Permission denied

Ah, if someone else set things up and you don't know what they did, that complicates matters. It sounds like your problem is with Dovecot, which unfortunately I'm not experienced with. Unfortunately I don't think I can contribute much more.

My best suggestions at this point would be to either start over fresh and follow the Linode guide for Postfix, Dovecot, and MySQL from the beginning or to punt entirely and have someone else like Google manage your e-mail. If you're not interested in diving in to e-mail administration yourself, it might be better to outsource it. (There are certainly many valid reasons to host your own e-mail, but you should weigh the benefits against the costs.)

Good luck!

Ive had that server send out forum email for +4 years without a hiccup. At one time the forum was extremely busy and would sometimes send out over +2000 emails per hour. I just have never integrated it with an external client such as outlook. I now need that for my small business.

Do I have options, other than Dovecot?

For future reference, I'd like to point out a few things, in case others have similar problems.

The postfix documentation is not very good and it fails to describe vital information about how postfix works. The main.cf configuration will set various global parameters, but will also set the way the default smtpd process will respond to port 25. For example, when a connection is made on port 25, various items will be checked in turn:

smtpdclientrestrictions

smtpdhelorestrictions

smtpdsenderrestrictions

smtpdrelayrestrictions

smtpdrecipientrestrictions

smtpddatarestrictions

smtpdendofdatarestrictions

You may place various checks, processes, milters, etc on any of the above steps that will be run in turn. So in this case the original poster's problem is because of the HELO checks under smtpdhelorestrictions, those restrictions will block the horrible M$ outlook client. This is not wrong, actually this is the correct thing! Because we are talking about port 25 by default in the main.cf, which should be used by other MTA's and not a MUA.

The actual MUA communication should happen via the submission port (587), which should have full encryption as a requirement, a lax HELO policy (to allow the horrible Outlook to connect), enforced authentication, milters like OpenDKIM and other details like that. But all that, does not happen in the main.cf, but in the master.cf file, under the "submission" line.

I hope I didn't confuse you even more :)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct