RE: "This message has been blocked because the HELO/EHLO domain is invalid"

  • From: "Dan Klobnak" <dan.klobnak@xxxxxxxxxxxxxxxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Mon, 18 Jul 2005 06:55:08 -0500

It's confusing enough when folks hi-jack subjects...now people are actually 
thanking people on others' behalf. :) "Why, you are welcome Saleem"?!?

John, appreciate your information, and sorry for the rambling nature of my 
original post; the research pulled me in a few possible directions, and I 
basically vomited my research onto the list. 


A few follow-ups.

1) Our 'public' DNS records, such as MX, etc., are hosted externally. As such, 
there is no entry for mail2.graphicsolutionsinc.com (or pmx.nazdar.com for that 
matter) within our internal DNS server (which, to me, would explain why I could 
not verify to my internal DNS when I went to change the properties of the SMTP 
Virtual Server).

1A) You state: "The SMTP server...FQDN is supposed to match what the PTR record 
says for the IP that it is connecting with."

You also state: "Your MX record is mail2.graphicsolutionsinc.com. The A record 
for that says IP address is 67.65.36.129. However, the PTR record for the IP 
says pmx.nazdar.com. When you connect to mail2.graphicsolutionsinc.com, the
greeting says pmx.nazdar.com."

1B) I see two issues here. 1) I need to resolve the DNS issues, so I can modify 
the SMTP server to match the PTR record. 
2) Once completed, and my SMTP points to my PTR of pmx.nazdar.com, would this 
still cause issues, since my MX record refers to mail2.graphicsolutionsinc.com? 

I am thinking the more appropriate response is to address the PTR to reflect 
mail2.graphicsolutionsinc.com rather than pmx.nazdar.com (the sister company's 
SPAM server, which then forwards to our server.)

(Observation: The fact that the MX record and PTR record do not match up seems 
to be somewhat common, even if not compliant. Example, when  I compare the MX 
record of webelists.com to its PTR, there is a difference - MX: 
webelists.com.inbound15.mxlogic.net versus pointer p02n142.mxlogic.net)

2) ANY thoughts on the issue of SPF records? Are these a new requirement, or 
something the mail server community considers a Best Practice at this time?

Again Thank You! Dan

----------------------------------------------------------------------

Subject: RE: "This message has been blocked because the HELO/EHLO domain is 
invalid"
From: "saleem" <sroumald@xxxxxxxxxxxx>
Date: Fri, 15 Jul 2005 11:34:41 -0400
X-Message-Number: 16

Thanks


-----Original Message-----
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]=20
Sent: Friday, July 15, 2005 11:15 AM
To: [ExchangeList]
Subject: [exchangelist] RE: "This message has been blocked because the
HELO/EHLO domain is invalid"

http://www.MSExchange.org/

Your MX record is mail2.graphicsolutions.com. The A record for that says
IP
address is 67.65.36.129. However, the PTR record for the IP says
pmx.nazdar.com. When you connect to mail2.graphicsolutions.com, the
greeting
says pmx.nazdar.com.

Yes, you are treading in deep water. E-mail requires certain things to
be
set up correctly. You post kind of rambles on and is some what hard to
understand.

The SMTP server you are sending outgoing e-mail from will present its
configured FQDN meaning host and domain. That FQDN is supposed to match
what
the PTR record says for the IP that it is connecting with.

The NDR is at the correct point. Your server starts to connect to the
receiving server, and during the handshake the receiving server says
sorry,
but I can not talk to you and then your server properly creates the NDR
to
send to the sender.

When you say that changing the virtual name causes DNS problems
indicates
you have DNS problems, or virtual server configuration problems.

John T
eServices For You

> -----Original Message-----
> From: Dan Klobnak [mailto:dan.klobnak@xxxxxxxxxxxxxxxxxxxxxxx]
> Sent: Friday, July 15, 2005 5:33 AM
> To: [ExchangeList]
> Subject: [exchangelist] RE: "This message has been blocked because the
HELO/EHLO
> domain is invalid"
>=20
> http://www.MSExchange.org/
>=20
> I am resending this message, as I realized I had a bogus subject "RE:
exchange
> Digest", and it may have been rightfully ignored. My apologies...
>=20
> Hi there, MSExchange 2000 Standard SP3 on a Windows 2003 server. Our
users
> received the following NDR when sending an external e-mail to one
external
domain.
> Not a problem with other domains; and we can reach the domain if we
use a
hotmail
> account or when I SMTP to it.  I am hoping to communicate with the
other
SysAdmin.
> Have not seen this one before, and have been doing some research.
Based on
the
> research, I guess I can go in a couple of different directions, but
was
curious as to
> your expert opinions/suggestions.
>=20
> NDR:
> The following recipient(s) could not be reached:
> 'user@xxxxxxxxxxx' on 13/07/2005 9:26
> You do not have permission to send to this recipient. For assistance,
contact your
> system administrator.
> <gsi-fs1.graphicsolutionsinc.com #5.7.1 smtp;554 5.7.1 This message
has
been
> blocked because the HELO/EHLO domain is invalid.>
>=20
> Note: the server generating the error is our mail server. The NDR is
immediate, and
> Message Tracking indicates an Event ID 1030 (NDR Generated),
immediately
after a
> 1020 (Started Outbound Transfer).
>=20
> Resubmitted, as I realized my subject was "RE: exchangelist digest:
July
14, 2005"
> and may have been rightly ignored...
>=20
> Searching on:
>  "You do not have permission to send to this recipient."
> Lead to options regarding being filtered by a SPAM...ie. Either on a
list
(which we tend
> to not believe is the case, and pur T1 Provider, Megapath, stated if
we
were ID'd as
> SPAMMER, they would be involved. I take that statement with a grain of
salt).  In any
> event I verified our Open Relay status, and we're locked down.
>=20
> 1.    Any websites you'd recommend to check ourselves against for
further
> verification?
>=20
> Another possibility may be an issue with a reverse lookup? Again, this
is
from a bunch
> of sources, none that I would consider authoritive, so I could be
misinterpreting.
> However, our e-mail comes from our server, and our MX record's A
record
actually
> points to a sister company's IP, as they filter SPAM for us before
forwarding.  There is
> a difference of Public IPs.
> Another option maybe the fact that we do not have an SPF record in our
DNS
> (something I learned about yesterday)?
>=20
> Searching on:
> "This message has been blocked because the HELO/EHLO domain is
invalid"
>=20
> Seemed to point to SMTP Virtual server setting. When I telnet to SMTP,
my
server
> does not match the MX record, which to be compliant with RFC 2821
seems to
be
> required. The server reflects the actual server name. When I try to
change
properties
> of the SMTP Virtual Server to my MX record, Mail2, I can not verify to
my
internal
> DNS. I don't want to go to the issue of changing my server's name, and
I
am thinking
> I can not have two entries within DNS pointing to the same IP, or is
there
a way to
> accommodate?
>=20
> Other option, modify my MX record to be reflect my server name?
>=20
> I admit, I am treading some deep water here for me. Since we're
successful
with
> 99.99 of other external e-mails, it is appealing to say it's the other
side (the "been
> blocked because the HELO/EHLO domain is invalid" certainly is not
saying
which
> domain is invalid. When I SMTP their mail server, mail.printar.com,
their
server name
> is simply printar.com, so they are not 'compliant' either.). However,
since we have a
> few loose ends on our side, I'd like to tighten us up, as I imagine
the
ongoing battle
> with SPAM will simply be cause more of these errors.
>=20
> Any other ideas, thoughts, would be GREATLY appreciated.
>=20
> I can't seem to find anything regarding these search strings at MS
support
either, so I
> assume I'm searching incorrectly. Thanks, Dan
>=20


Other related posts: