Why is postfix rejecting one particular validly DNS-mapped sender?

I'm running postfix 3.5.18 under Debian 11. The mailserver is working fine for all senders except one.

I regularly am getting this message from emails from one sender and one sender only (where I changed a valid email address on my server to "[email protected]" in the message, and where I changed the server name in that message to MYEXAMPLE) ...

Jul 15 17:05:45 MYEXAMPLE postfix/smtpd[350738]: Anonymous TLS connection established from smtp3.earlywarning.com[199.47.137.176]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Jul 15 17:05:46 MYEXAMPLE postfix/smtpd[350738]: NOQUEUE: reject: RCPT from smtp3.earlywarning.com[199.47.137.176]: 450 4.7.1 <a7283cpov.earlywarning.com>: Helo command rejected: Host not found; from=<[email protected]> to=<[email protected]> proto=ESMTP helo=<a7283cpov.earlywarning.com>
Jul 15 17:06:02 MYEXAMPLE postfix/smtpd[350738]: timeout after RSET from smtp3.earlywarning.com[199.47.137.176]
Jul 15 17:06:02 MYEXAMPLE postfix/smtpd[350738]: disconnect from smtp3.earlywarning.com[199.47.137.176] ehlo=2 starttls=1 mail=1 rcpt=0/1 data=0/1 rset=1 commands=5/7

The "earlywarning.com" and "smtp3.earlywarning.com" hostnames are validly mapped in DNS.

The following is the output of "postconf -n", with my hostname changed to MYEXAMPLE.COM, and my IP address changed to AAA.BBB.CCC.DDD ...

address_verify_poll_count = ${stress?1}${stress:3}
address_verify_sender = postmaster@$myhostname
address_verify_sender_ttl = 1342s
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = no
command_directory = /usr/sbin
compatibility_level = 2
data_directory = /var/lib/postfix
disable_dns_lookups = no
double_bounce_sender = double-bounce
hippomda_destination_recipient_limit = 1
html_directory = /usr/share/doc/postfix/html
inet_interfaces = all
lmtp_host_lookup = dns
mail_owner = postfix
mailbox_size_limit = 0
mailq_path = /usr/bin/mailq
message_size_limit = 199999999
milter_command_timeout = 20s
milter_connect_macros = j {daemon_name} v {client_name} {client_addr} {client_port}
milter_connect_timeout = 10s
milter_mail_macros = {auth_author} {auth_type} {auth_authen}
milter_protocol = 6
minimal_backoff_time = 60s
mydestination = localhost
myhostname = MYEXAMPLE.COM
mynetworks = AAA.BBB.CCC.DDD/32
myorigin = MYEXAMPLE.COM
non_smtpd_milters = $smtpd_milters
queue_directory = /var/spool/postfix
queue_run_delay = 60s
readme_directory = /usr/share/doc/postfix
recipient_delimiter = -
relay_domains =
relayhost =
sendmail_path = /usr/sbin/sendmail
smtp_host_lookup = dns
smtp_skip_5xx_greeting = no
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_block_early_mail_reply = yes
smtp_tls_loglevel = 1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
smtp_tls_note_starttls_offer = yes
smtp_tls_policy_maps = hash:/etc/postfix/tls-control
smtp_tls_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtpd_banner = Abandon hope, all ye who enter here.
smtpd_client_restrictions = check_client_access hash:/etc/postfix/ok-host-control check_helo_access hash:/etc/postfix/helo-control reject_unknown_client_hostname
smtpd_data_restrictions = reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_error_sleep_time = 2s
smtpd_hard_error_limit = ${stress?2}${stress:4}
smtpd_helo_required = yes
smtpd_helo_restrictions = permit_mynetworks check_helo_access hash:/etc/postfix/ok-host-control check_helo_access hash:/etc/postfix/helo-control permit_sasl_authenticated reject_invalid_helo_hostname reject_non_fqdn_helo_hostname reject_unknown_helo_hostname
smtpd_junk_command_limit = ${stress?3}${stress:50}
smtpd_milters = inet:localhost:20002,local:opendkim/opendkim.sock,local:opendmarc/opendmarc.sock
smtpd_per_record_deadline = ${stress?yes}${stress:no}
smtpd_recipient_limit = 1000
smtpd_recipient_overshoot_limit = 100
smtpd_recipient_restrictions = check_recipient_access pcre:/etc/postfix/reject-impossible-address.pcre reject_unknown_recipient_domain reject_unverified_recipient permit_dnswl_client list.dnswl.org=127.0.[0..255].[1..3] permit_sasl_authenticated reject_non_fqdn_recipient
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = reject_non_fqdn_sender check_client_access hash:/etc/postfix/ok-host-control reject_unknown_sender_domain reject_unknown_reverse_client_hostname reject_unknown_client_hostname
smtpd_soft_error_limit = 2
smtpd_starttls_timeout = ${stress?5}${stress:12}s
smtpd_timeout = ${stress?5}${stress:12}s
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_ask_ccert = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/letsencrypt/live/MYEXAMPLE.COM/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/MYEXAMPLE.COM/privkey.pem
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = low
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
smtpd_tls_protocols = !SSLv2,!SSLv3,TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
strict_rfc821_envelopes = yes
tls_high_cipherlist = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:NULL-SHA256
tls_preempt_cipherlist = yes
transport_maps = hash:/etc/postfix/transport-control
unknown_address_reject_code = 550
unknown_client_reject_code = 550
unknown_local_recipient_reject_code = 550
virtual_alias_maps = proxy:mysql:/etc/postfix/mysql_virtual_alias_maps.cf
virtual_gid_maps = static:1003
virtual_mailbox_base = /var/vmail
virtual_mailbox_domains = proxy:mysql:/etc/postfix/mysql_virtual_domains_maps.cf
virtual_mailbox_limit = 51200000
virtual_mailbox_maps = proxy:mysql:/etc/postfix/mysql_virtual_mailbox_maps.cf
virtual_minimum_uid = 1000
virtual_transport = hippomda
virtual_uid_maps = static:1003

Here are the "helo-control" file contents:

earlywarning.com    OK
.earlywarning.com   OK
199.47.137.176      OK
104.18.100.92       OK
104.18.99.92        OK

And here are the contents of the "ok-host-control" file ...

earlywarning.com    OK
.earlywarning.com   OK
199.47.137.176      OK
104.18.100.92       OK
104.18.99.92        OK

Both "helo-control" and "ok-host-control" are properly mapped to "helo-control.db" and "ok-host-control.db", respectively, via "postconf -f".

What am I doing wrong which causes connections from "smtp3.earlywarning.com[199.47.137.176]" to be rejected?

Thank you in advance.

UPDATE:

Postmap test ...

# postmap -v -q 'a7283cpov.earlywarning.com' ./ok-host-control; echo rc=$?
postmap: name_mask: all
postmap: inet_addr_local: configured 3 IPv4 addresses
postmap: inet_addr_local: configured 3 IPv6 addresses
postmap: Compiled against Berkeley DB: 5.3.28?
postmap: Run-time linked against Berkeley DB: 5.3.28?
postmap: dict_open: hash:./ok-host-control
rc=1

# postmap -v -q 'a7283cpov.earlywarning.com' ./helo-control; echo rc=$?
postmap: name_mask: all
postmap: inet_addr_local: configured 3 IPv4 addresses
postmap: inet_addr_local: configured 3 IPv6 addresses
postmap: Compiled against Berkeley DB: 5.3.28?
postmap: Run-time linked against Berkeley DB: 5.3.28?
postmap: dict_open: hash:./helo-control
rc=1

The feature that you are trying to use with that leading dot .domain.tld syntax is not setup that way in the default Postfix installation.

If you want to use that, you could get the default value by calling postconf -d parent_domain_matches_subdomains and override that setting with one not including the smtpd_access_maps entry to have check_helo_access distinguish domains and subdomains. See man 5 access, section HOST NAME/ADDRESS PATTERNS.

That file with both entries, with and without leading do, would match the helo name in question with or without that settings, but since you quote postconf -f as the command you used to update its lookup table.. you may not have successfully updated them yet. Try again using postmap /path/to/ok-host-control, then reload Postfix and look for warnings emitted on startup.

It is the HELO hostname a7283cpov.earlywarning.com that is rejected. The server gives a non-existent hostname as its HELO hostname.

Your attempt to whitelist it with .earlywarning.com in check_helo_access hash:/etc/postfix/helo-control fails, because hash: does not treat this as the wildcard you assume.

This could be done with PCRE tables, though. In Debian 11, you need to have the package postfix-pcre installed for the support for PCRE tables. Use check_helo_access pcre:/etc/postfix/helo-control with file contents:

/(\.|^)earlywarning\.com$/   OK