Postfix ignoring my smtpd_helo_* config??

Helo,

I've got an annoying PDA mail client (Versamail) that insists on sending
an invalid domain name in it's HELO to the server.

To get around this, I wanted to set:

smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_hostname,
reject_invalid_hostname,
hash:/etc/postfix/access,
permit

This failed with
504 5.5.2 <com>: Helo command rejected: need fully-qualified hostname

So I simplified things and removed all restrictions on HELO, for testing:

smtpd_helo_required = no
smtpd_helo_restrictions = permit

Now it works, if I manually telnet to port 25 and _don't send_ any HELO.
But sending Versamail's dumb

HELO COM

Still gives me
504 5.5.2 <COM>: Helo command rejected: need fully-qualified hostname

BTW, I _have_ issued multiple "postfix reload" and even stopped/started
the server to ensure the config was accepted and showed up correctly with
'postconf'.

I'd appreciate any clues as to why postfix is ignoring my
smtpd_helo_restrictions.

Thanks in advance.
--
Pat Deegan
http://www.psychogenic.com

Replying to myself, so you all won't need to bother and perhaps to help
anyone else in my situation.

The error message mentioning the invalid Helo hostname:

504 5.5.2 <COM>: Helo command rejected: need fully-qualified hostname

was misleading--this is where the issue was, but not where it was being
flagged.

The problem seems to have been that, though my smtpd_helo_restrictions
were set to maximum laxity, the smtpd_recipient_restrictions where such
that the invalid/non-fqdn hostname was still tripping a rejection...
question of order:


smtpd_recipient_restrictions =
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
permit_mynetworks,
permit_sasl_authenticated
....

The reject_non_fqdn_hostname rejection was checked before the sasl_auth
permission and was apparently killing the send operation based on the
contents of the HELO.

Thus, to enable authenticated roaming clients to send through the server,
even if the mail clients are to dense to send a valid HELO, I had to use
the following set of restrictions:

smtpd_helo_required = yes

smtpd_helo_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_non_fqdn_helo_hostname,
reject_unknown_helo_hostname,
reject_invalid_helo_hostname,
hash:/etc/postfix/access,
permit

smtpd_sender_restrictions =
permit_mynetworks
permit_sasl_authenticated
reject_non_fqdn_sender
reject_invalid_hostname
reject_unknown_sender_domain
hash:/etc/postfix/access
permit

smtpd_recipient_restrictions =
permit_mynetworks,
permit_sasl_authenticated,
reject_invalid_hostname,
reject_non_fqdn_hostname,
reject_non_fqdn_sender,
reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
reject_unauth_pipelining,
hash:/etc/postfix/access,
reject_unauth_destination,
reject_rbl_client zombie.dnsbl.sorbs.net,
reject_rbl_client list.dsbl.org,
check_policy_service unix:/path/to/socket/postgrey.sck,
check_policy_service unix:private/spfpolicy,
proxy:mysql:/path/to/mysqlprotected_users.cf,
permit

Regards,
--
Pat Deegan
http://www.psychogenic.com