How to Fix “Helo command rejected: Host not found” Error in Postfix Mail Relay Setup


2 views

When setting up a mail relay between a home server and public server through OpenVPN, the strict HELO hostname verification in Postfix often causes rejection of legitimate emails. The error occurs because:

  • The home server's FQDN contains router-generated gibberish (e.g., "homeserver.blablabla_crappyrouter")
  • Postfix's default security settings require valid, resolvable HELO hostnames
  • The DNS infrastructure can't verify these non-standard hostnames

To make this work, we need to modify the Postfix configuration on the public server to:

# In /etc/postfix/main.cf
smtpd_helo_restrictions = 
    permit_mynetworks
    reject_invalid_helo_hostname
    reject_non_fqdn_helo_hostname
    reject_unknown_helo_hostname
    check_helo_access hash:/etc/postfix/helo_access
    permit

Create a HELO access control file to explicitly allow your home server:

# /etc/postfix/helo_access
HomeServer.blablabla_crappyRouter OK
[VPN_TUNNEL_IP] OK

Then compile the hash database:

sudo postmap /etc/postfix/helo_access

For development environments, you can relax HELO checks:

# /etc/postfix/main.cf
smtpd_helo_required = no
smtpd_helo_restrictions = 
    permit_mynetworks
    permit

After making changes, test with:

echo "Subject: Test" | sendmail -v recipient@example.com
tail -f /var/log/mail.log

While relaxing HELO checks solves the immediate problem, consider these security measures:

  • Use SASL authentication for mail relay
  • Implement TLS encryption
  • Restrict relay access to VPN IPs only
# /etc/postfix/main.cf
smtpd_tls_security_level = encrypt
smtpd_client_restrictions = permit_mynetworks, reject
  1. Verify OpenVPN tunnel stability
  2. Check Postfix logs after each configuration change
  3. Test both inbound and outbound mail flow
  4. Consider implementing SPF records for your domain

When setting up mail relay between servers, Postfix's strict HELO hostname validation often becomes a roadblock - especially when dealing with non-standard hostnames like those generated by consumer routers. The error 450 4.7.1 : Helo command rejected: Host not found typically occurs because:

  • The sending server's hostname doesn't resolve in DNS
  • The hostname format violates RFC standards
  • smtpd_helo_restrictions contains reject rules

In this specific case, we're dealing with:

Home Server → OpenVPN Tunnel → Public Server (Postfix)
Hostname: "HomeServer.blablabla_crappyRouter"
IP: Fixed via VPN tunnel

For the public server's main.cf:

# Whitelist VPN IP range (replace with your actual VPN subnet)
mynetworks = 127.0.0.0/8, [::1]/128, 10.8.0.0/24

# Modify HELO restrictions
smtpd_helo_restrictions = 
    check_helo_access hash:/etc/postfix/helo_access
    permit_mynetworks
    reject_invalid_helo_hostname
    reject_non_fqdn_helo_hostname

# Create access map
echo "HomeServer.blablabla_crappyRouter OK" > /etc/postfix/helo_access
postmap /etc/postfix/helo_access

For more permanent solutions consider:

Option 1: Override EHLO/HELO

# In home server's main.cf
smtp_helo_name = mail.mydomain.com
smtp_generic_maps = hash:/etc/postfix/generic

Option 2: SASL Authentication

# Public server's main.cf
smtpd_sender_login_maps = hash:/etc/postfix/sender_login
smtpd_sender_restrictions = 
    reject_authenticated_sender_login_mismatch
    reject_unauthenticated_sender

After configuration changes:

# On home server
echo "Test" | mail -s "Postfix Test" user@domain.com

# Check logs
tail -f /var/log/mail.log | grep postfix

Expected successful log entry:

postfix/smtpd[1234]: ABC123456: client=home-server[vpn-ip]

The log shows TLS verification failures:

STARTTLS=client, relay=mydomain.com., verify=FAIL

Ensure proper certificate configuration in main.cf:

smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_security_level = may