If your Exim mail logs show the following error:

Access denied - Invalid HELO name (See RFC2821 4.1.1.1)

This means that the sending server’s HELO/EHLO hostname is invalid or misconfigured according to the SMTP protocol requirements.

What is HELO / EHLO?

Read morecPGuard Web Security Suite: Now Fully Integrated with Interworx Control Panel

When an email server connects to another via SMTP, it introduces itself with the HELO or EHLO command followed by its hostname.

EHLO mail.example.com

Why does this error appear?

The receiving mail server may reject the connection if:

  • The HELO name is not a fully qualified domain name (FQDN)
  • The HELO name does not resolve to the sending server’s IP address
  • The IP address’s PTR (reverse DNS) record does not point back to the HELO name
  • DNS resolution fails completely

Example test for IP: 177.104.11.173

  1. Check PTR (reverse DNS):
    host 177.104.11.173
  2. Check forward resolution:
    host mail.bad-example.net
    The result must point back to 177.104.11.173

Fix for the sending server

  • Set a proper FQDN hostname in the HELO/EHLO command (e.g. mail.example.com)
  • Ensure the hostname resolves to the server’s IP address
  • Ensure the IP’s PTR record matches that hostname

Exim: Enforcing HELO checks

To enforce HELO validation in Exim, use the following ACL in your config:

deny message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
     condition = ${if match{$sender_helo_name}{N^d{1,3}(.d{1,3}){3}$N}{true}{false}}
Read moreUnderstanding the Linux chattr Command: A Comprehensive Guide

Or enable basic HELO checking:

verify = helo

Summary

  • HELO/EHLO hostname must follow DNS and SMTP standards
  • Poorly configured HELO names are common with spambots
  • Validate that DNS records are correct in both directions (forward + reverse)

Bonus: Test using swaks

Bonus: Test HELO and DNS with common tools

1. Test HELO with swaks (Linux/macOS):

swaks --to test@example.com --server 185.185.170.9 --ehlo mail.example.com

This simulates a real SMTP connection and sends a custom HELO/EHLO.

Read moreMalware Cleaning : Using YARA and ClamAV Signatures

2. Check reverse DNS (PTR) with dig (Linux/macOS):

dig -x 185.185.170.9 +short

This should return a valid hostname (e.g. mail.example.com.)

3. Check forward DNS for hostname:

dig mail.example.com +short

This should return 185.185.170.9 — must match the original IP.

4. Windows equivalent using nslookup:

nslookup 185.185.170.9

Then check forward lookup:

nslookup mail.example.com

Both must match for the HELO to be considered valid.

Similar Posts