Why does postfix say 'Helo command rejected: Host not found' when dig finds the host?

The answer was staring us in the face the whole time.

Postfix is looking for the A and PTR records for the host greeting it with HELO. Or, more precisely, the host that the host says it is in its HELO message. Let's break it down:

Jul 20 23:35:20 endor postfix/smtpd[1503]: NOQUEUE: reject: RCPT from
bdmrob01-2.metavante.com[206.71.18.21]:

A host named bdmrob01-2.metavante.com that resolves to the IP address 206.71.18.21 makes a TCP connection to your mail server.

So you checked the IP address for an A record:

endor% dig bdmrob01-2.metavante.com
[...]
;; ANSWER SECTION:
bdmrob01-2.metavante.com. 600   IN  A   206.71.18.21

And then you checked it for a PTR record:

endor% dig -x 206.71.18.21
;; ANSWER SECTION:
21.18.71.206.in-addr.arpa. 600  IN  PTR bdmrob01-2.metavante.com.

That all looks good. So what's the problem? The host that connected was certainly identified by the above hostname and IP address, but it didn't say that's who it was. It said:

helo=<bdmrob02.metavante.com>

That host has an A record:

$ dig a bdmrob02.metavante.com
[...]
;; ANSWER SECTION:
bdmrob02.metavante.com. 0   IN  A   92.242.140.2

BUT, its IP address has no PTR record:

$ dig -x 92.242.140.2
[...]
;; ANSWER SECTION:
2.140.242.92.in-addr.arpa. 84155 IN PTR unallocated.barefruit.co.uk.

This is a problem on their end. Until then you'll have to either live with it, or change your postfix server to not bother with forward and reverse lookups on HELO commands.


In the spirit of having the useful information in one place, I want to add a bit to @wesley's correct answer, which is that there's a mid-point between not doing forward and reverse lookups, which is whitelisting, described here:

Postfix: whitelist host for specific sender