helo restrictions treat hash like regexp?

So, I've got some helo_restrictions set up, including rejection of hosts
that use my domain name in the helo. Unfortunately, the server seems to be
rejecting subdomains as well. I *could* get around this by adding the
remote subdomain servers to mynetworks, I guess, but I'd rather know why
this is happening.

I have this (obscured for no reason) in /etc/postfix/helo_access:

mail.domain.com 554 Hey, that's my name too! Go away, liar.
www.domain.com 554 Hey, that's my name too! Go away, liar.
domain.com 554 Hey, that's my name too! Go away, liar.

and I have these relevent config settings:

newwww ~ # postconf mail_version smtpd_helo_restrictions
mail_version = 2.1.5
smtpd_helo_restrictions = permit_mynetworks, reject_invalid_hostname,
check_helo_access hash:/etc/postfix/helo_access, check_helo_access
mysql:/etc/postfix/mysql-access.cf, reject_rbl_client relays.ordb.org,
permit

(the mysql map is a list of bad IP addresses/hostnames that's used both for
checking client access and helo access, and yes, I've run postmap on
/etc/postfix/helo_access + postfix reload)

Now, when I get a message from an external mailserver - not listed in
mynetworks - that identifies itself as mail.subdomain.domain.com, postfix
rejects that connection with "554 <mail.subdomain.domain.com>: Helo command
rejected: Hey, that's my name too! Go away, liar."

It's my understanding that an entry of domain.com should only match a host
that says "HELO domain.com", and not anything else. Is it likely that I'm
doing something wrong here, possibly due to missing a critical piece of
documentation? I've commented out the "domain.com" entry, allowing
subdomain.domain.com to again send me email (whoops), but it'd sure be nice
if I could actually reject people who use my domain in their helo...

Thanks for any advice given.
--Danny