How to deal with “Helo command rejected: ACCESS DENIED” on a Postfix / Kopano email server

On a Postfix email server with paranoid HELO security your clients might contact you because they are not getting email. Upon examining the email log file you stumble across the following message:

# journalctl | grep "sender-domain.com"
Jul 15 10:08:18 host postfix/smtpd[19117]: NOQUEUE: reject: RCPT from smtpout1.mo3004.mail-out.ovh.net[]: 554 5.7.1 <smtpout1.mo3004.mail-out.ovh.net>: Helo command rejected: ACCESS DENIED. Unknown (ovh.net); from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<smtpout1.mo3004.mail-out.ovh.net>

The paranoid SMTP helo restrictions are outlined below, and the culprit is most likely `reject_invalid_helo_hostname`

smtpd_helo_restrictions =
check_helo_access pcre:/etc/postfix/helo_access.pcre

Our suggestion is to avoid these paranoid settings because clients do not take it lightly if email isn’t received and this leads to a lot of specialized support.

Edit the line in /etc/postfix/main.cf and comment it out using a #. Then `service postfix reload`

More Information

You might even find a more extreme message such as below in your log file:

Jul 24 23:36:10 host postfix/smtpd[9817]: NOQUEUE: reject: RCPT from mail146.transactional.voxtelecom.eversrv.com[]: 554 5.7.1 <mail146.transactional.voxtelecom.co.za.eversrv.com>: Helo command rejected: ACCESS DENIED. Evil marketing companies who never asked permission to email here (eversrv.com); from=<[email protected]oxtelecom.co.za> to=<[email protected]> proto=ESMTP helo=<mail146.transactional.voxtelecom.co.za.eversrv.com>

This particular failure would be in /etc/postfix/helo_access.pcre

/(eversrv\.com)$/ REJECT ACCESS DENIED. Evil marketing companies who never asked permission to email here (${1})

But if you uncommented the line check_helo_access or the entire smtpd_helo_restrictions section this problem will also go away, with the disadvantage were these some really legit spammers they are now free to deliver email.

Share this article

Share on facebook
Share on twitter
Share on linkedin

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top