
If your Exim mail logs show the following error:
Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
This means that the sending server’s HELO/EHLO hostname is invalid or misconfigured according to the SMTP protocol requirements.
What is HELO / EHLO?
Table of Contents
When an email server connects to another via SMTP, it introduces itself with the HELO
or EHLO
command followed by its hostname.
EHLO mail.example.com
Why does this error appear?
The receiving mail server may reject the connection if:
- The HELO name is not a fully qualified domain name (FQDN)
- The HELO name does not resolve to the sending server’s IP address
- The IP address’s PTR (reverse DNS) record does not point back to the HELO name
- DNS resolution fails completely
Example test for IP: 177.104.11.173
- Check PTR (reverse DNS):
host 177.104.11.173
- Check forward resolution:
host mail.bad-example.net
The result must point back to 177.104.11.173
Fix for the sending server
- Set a proper FQDN hostname in the HELO/EHLO command (e.g.
mail.example.com
) - Ensure the hostname resolves to the server’s IP address
- Ensure the IP’s PTR record matches that hostname
Exim: Enforcing HELO checks
To enforce HELO validation in Exim, use the following ACL in your config:
deny message = Access denied - Invalid HELO name (See RFC2821 4.1.1.1)
condition = ${if match{$sender_helo_name}{N^d{1,3}(.d{1,3}){3}$N}{true}{false}}
Or enable basic HELO checking:
verify = helo
Summary
- HELO/EHLO hostname must follow DNS and SMTP standards
- Poorly configured HELO names are common with spambots
- Validate that DNS records are correct in both directions (forward + reverse)
Bonus: Test using swaks
Bonus: Test HELO and DNS with common tools
1. Test HELO with swaks
(Linux/macOS):
swaks --to test@example.com --server 185.185.170.9 --ehlo mail.example.com
This simulates a real SMTP connection and sends a custom HELO/EHLO.
2. Check reverse DNS (PTR) with dig
(Linux/macOS):
dig -x 185.185.170.9 +short
This should return a valid hostname (e.g. mail.example.com.
)
3. Check forward DNS for hostname:
dig mail.example.com +short
This should return 185.185.170.9
— must match the original IP.
4. Windows equivalent using nslookup
:
nslookup 185.185.170.9
Then check forward lookup:
nslookup mail.example.com
Both must match for the HELO to be considered valid.