How can I block non-FQDNs in HELO/EHLOs?

Many workstation clients send single-component names; take care that you do not block legitimate mail. With that proviso, you can do it using something like this in an ACL:

drop  message = HELO doesn't look like a hostname
   log_message = Not a hostname
   condition = ${if match{$sender_helo_name} \
\N^[^.].*\.[^.]+$\N}{no}{yes}}

This means: Drop the HELO unless it contains a dot somewhere in the HELO string, but the string may not begin or end with a dot. Thus, the imposed minimum length is 3 characters. The data for HELO/EHLO doesn't have to be a host name; it may legitimately be an IP address literal instead. The above test succeeds with an IPv4 address literal, but if you want also to accept IPv6 address literals, you will have to modify the regular expression.