Do I have to, and how do I setup bounce emails HELO command?

Skippy le Grand Gourou asked:

Our server has been listed several times on CBL (see this question) because it “attempted to send email without using the HELO/EHLO command”.

Grep’ing on HELO on Exim’s logs, I found such suspicious (yet useful !) entries from GMail :

Remote host closed connection in response to HELO  (EHLO response was: 501-5.5.4 Empty HELO/EHLO argument not allowed, closing connection.

and whatever email provider or software :

SMTP error from remote mail server after HELO : 501 Syntax: HELO hostname

It seems to me that these errors may be the very reason for which our IP is listed on CBL.

I can’t say for the GMail error yet because those messages are not in Exim’s queue anymore (I will confirm as soon as I get a new one), but the other message is a bounce email, as I suspected in the other question (“retry timeout exceeded” because of non-existent address).

Now, I couldn’t find confirmation online but I guess it’s not normal that bounce emails have an empty HELO command, right ? So how do I configure Exim so that they don’t ?

NB : I know I could just blackhole such messages, which I’ll eventually try if I can’t find a better solution, but it doesn’t seem like the right approach.

NB2 : For “regular emails” the HELO command is already set as follow, from /etc/exim4/conf.d/main/00_local_settings :

REMOTE_SMTP_HELO_DATA=$sender_address_domain

My answer:


Most servers check for a valid hostname in the EHLO/HELO command. The parameter must be the FQDN of your server as it is seen on the Internet, and your forward and reverse DNS must match for that name.

For example, if your machine is named mail.example.com:

  • It must send EHLO mail.example.com. Mail servers normally do this by default (except on Debian based systems); they usually have to be explictly misconfigured to not do so (except on Debian based systems). Spammers often don’t bother with EHLO or can’t send a legitimate hostname.

    See here for how to configure Exim.

  • The DNS A/AAAA record for mail.example.com must have a record matching the IPv4 or IPv6 address which connected to the remote machine.

    For example:

    mail.example.com        IN      A       192.0.2.83
    
  • The IP address which connected to the remote machine must have a DNS PTR record with the name mail.example.com.

    For example:

    83.2.0.192.in-addr.arpa. IN      PTR     mail.example.com.
    

Connections which fail one or more of these checks will generally have their mail marked as spam or rejected. If your server fails any of these checks with a spamtrap, it will end up on a blackhole list.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.