Mail bounced by kw.com saying HELO FQDN check fails

Question

Level 1

8 points

Mail bounced by kw.com saying HELO FQDN check fails

I am going crazy trying to figure this one out. I have a 10.5.8 server running mail for my domain maclan.net on a system that is called mail.maclan.net

This system is 192.168.1.253 behind my firewall and 66.205.130.215 on the public Internet.

The system and email have been working great for a long time but someone we know has an email address at kw.com. When sending email from maclan.net to kw.com the emails are being bounced. with

<xxxxxxx@kw.com>: host mx01.kw.com[66.45.126.185] said: 554 5.7.1

<[66.205.130.215]>: Helo command rejected: Local policy prohibits address

literals (in reply to RCPT TO command)

Reporting-MTA: dns; mail.maclan.net

X-Postfix-Queue-ID: 801A1DB05D

X-Postfix-Sender: rfc822; JOHN@MACLAN.NET

Arrival-Date: Tue, 7 Jun 2011 16:20:07 -0700 (PDT)

Final-Recipient: rfc822; xxxxxxxxxx@kw.com

Original-Recipient: rfc822;dhaight@kw.com

Action: failed

Status: 5.7.1

Remote-MTA: dns; mx01.kw.com

Diagnostic-Code: smtp; 554 5.7.1 <[66.205.130.215]>: Helo command rejected:

Local policy prohibits address literals

So I sent myself an email to another account and did a View Raw Source on it to check out the headers and sure enough it looks like the IP address is being used in the HELO instead of the FQDN:

Received: from unknown (HELO m1pismtp01-027.prod.mesa1.secureserver.net) ([216.69.186.30])

(envelope-sender <JOHN@MACLAN.NET>)

by p3plsmtp15-05.prod.phx3.secureserver.net (qmail-1.03) with SMTP

for <john@amaclife.com>; 7 Jun 2011 23:27:58 -0000

X-IronPort-Anti-Spam-Result: AuQGACSx7k1CzYLX/2dsb2JhbABThyKoZZ9YnyWGIQSGeIoSj2U

Received: from mail.maclan.net (HELO [66.205.130.215]) ([66.205.130.215])

by m1pismtp01-027.prod.mesa1.secureserver.net with ESMTP; 07 Jun 2011 16:27:57 -0700

Received: from localhost (localhost [127.0.0.1])

by mail.maclan.net (Postfix) with ESMTP id 15336DB107

for <john@amaclife.com>; Tue, 7 Jun 2011 16:27:57 -0700 (PDT)

X-Virus-Scanned: amavisd-new at maclan.net

Received: from mail.maclan.net ([127.0.0.1])

by localhost (mail.maclan.net [127.0.0.1]) (amavisd-new, port 10024)

with ESMTP id ep31Tl18Oq4T for <john@amaclife.com>;

Tue, 7 Jun 2011 16:27:56 -0700 (PDT)

Received: from john.maclan.net (john.maclan.net [192.168.1.251])

by mail.maclan.net (Postfix) with ESMTP id 79BE3DB0F3

for <john@amaclife.com>; Tue, 7 Jun 2011 16:27:56 -0700 (PDT)

So I've researched this to death and thought there might be problems with my postfix settings or something but I cannot find anything. At this point all that is changed is smtp_helo_name which had been at the default of $myhostname but I forced it to mail.maclan.net in an attempt to fix it. Here's my config info:

postconf -n

command_directory = /usr/sbin

config_directory = /etc/postfix

content_filter = smtp-amavis:[127.0.0.1]:10024

daemon_directory = /usr/libexec/postfix

debug_peer_level = 2

enable_server_options = yes

html_directory = no

inet_interfaces = all

mail_owner = _postfix

mailbox_transport = cyrus

mailq_path = /usr/bin/mailq

manpage_directory = /usr/share/man

message_size_limit = 20971520

mydestination = $myhostname,localhost.$mydomain,maclan.net

mydomain = maclan.net

mydomain_fallback = localhost

myhostname = mail.maclan.net

mynetworks = 127.0.0.0/8

newaliases_path = /usr/bin/newaliases

queue_directory = /private/var/spool/postfix

readme_directory = /usr/share/doc/postfix

relayhost =

sample_directory = /usr/share/doc/postfix/examples

sendmail_path = /usr/sbin/sendmail

setgid_group = _postdrop

smtp_helo_name = mail.maclan.net

smtpd_enforce_tls = no

smtpd_pw_server_security_options = gssapi,cram-md5

smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination,permit

smtpd_sasl_auth_enable = yes

smtpd_tls_cert_file = /etc/certificates/MacLAN.crt

smtpd_tls_key_file = /etc/certificates/MacLAN.key

smtpd_tls_loglevel = 0

smtpd_use_pw_server = yes

smtpd_use_tls = yes

unknown_local_recipient_reject_code = 550

changeip -checkhostname

Primary address = 192.168.1.253

Current HostName = mail.maclan.net

DNS HostName = mail.maclan.net

The names match. There is nothing to change.

And using network-tools.com it looks like my external name translates okay forward and reverse. I've also looked at the MX record. So I've hit a point of confusion/frustration. Any ideas would be greatly appreciated.

John

Mac Pro, Mac OS X (10.5.8)

Posted on Jun 7, 2011 5:24 PM

Reply

Answer 1

UptimeJeff

Level 4

3,479 points

Jun 7, 2011 7:36 PM in response to throcki

Do you have an image, banner or any other html code in your message?

Read this:

http://answers.kw.com/knowledgemanager/questions.php?questionid=1658

Reply

Answer 2

throcki Author

Level 1

8 points

Jun 7, 2011 10:12 PM in response to UptimeJeff

No. I've looked at the help on the kw.com site and have seen this. If you read it it says "The remote host used a bare IP literal for their HELO/EHLO greeting." As you can see in the messages I inserted above, my HELo does not have HTML, it has my IP address instead of the FQDN. The message on the kw.com page is misleading and in error. I have done a lot of research around this. Also, EVERY email that comes from maclan.net to kw.com is bounced with the same message. I have even sent messages as plain text with a single text phase such as "Testing again"

Reply

Answer 3

UptimeJeff

Level 4

3,479 points

Jun 8, 2011 8:51 AM in response to throcki

The KW explanations sure are strange... They say the technical meaning is 'A' but the real meaning is 'B'.

The error we were talking about is a helo error, but it's actually about the body, not the greeting:

"What this actually means is that there is a web address (URL) contained within the body of your email that contains an IP address contained in brackets (ex. [192.168.100.123]) instead of the using a hostname (ex. yahoo.com)."

As you said, you tried plain-text emails, so I thats likely not the issue.

One thing I did notice is that your DNS breaks 1 rule in an RFC.

Your MX records points to a CNAME.

MX records are only supposed to point to A records.

It's an efficiency issue (saves 1 lookup).

I've never seen a server block for breaking this rule.. but should be fixed anyway.

Have you tried a manual telnet session?

You could determine if it's the IP, Helo greeting, etc but trying different combinations.

Reply

Answer 4

throcki Author

Level 1

8 points

Jun 8, 2011 3:31 PM in response to UptimeJeff

Thanks. I had not realized the MX was pointing at a CNAME was wrong. I've updated it and the change should be implemented and flow through the Internet over the next hour or so. On my private network side it is/was pointing at an A record but not on the public side. Maybe this will do something but like you indicated it seems doubtful.

I've thought about Telnet but am not sure how to go about it when I am the one sending mail and my server is the one initiating contact. How would I go about it?

Reply

Answer 5

throcki Author

Level 1

8 points

Jun 8, 2011 9:37 PM in response to throcki

Well changing the CNAME record to an A record didn't fix it. What am I missing????

Reply

Answer 6

UptimeJeff

Level 4

3,479 points

Jun 9, 2011 7:56 AM in response to throcki

Would be good to see the full transaction, so lets capture it.

In terminal, do this

sudo tcpdump -A host mx01.kw.com

Then send a test-only test message to someone at kw.com

You should see text scroll in the terminal window. Copy that text and send it to jdj_at_mac.com

Reply

Answer 7

UptimeJeff

Level 4

3,479 points

Jun 9, 2011 8:03 AM in response to throcki

If you want to try a connection with telnet, type all of this in terminal except what is in paranthesis.

The email addresses should include the <>. Type EVERYTHING except what is in ()

telnet mx01.kw.com 25

(you will see a greeting from their server)

helo mail.maclan.net

mail from: <me@maclan.net>

rcpt to: <person@kw.com>

data

Subject: testing mail

.

(you end the session with a period on a line by itself)

Reply

Answer 8

throcki Author

Level 1

8 points

Jun 9, 2011 9:28 PM in response to UptimeJeff

It took me a bit as I had to add -i to specify my external ethernet interface and I had to add mx02.kw.com and mx03.kw.com before tcpdump actually caught anything, but I got it. Check your email

Thank you SO MUCH for the help!

Reply

Answer 9

throcki Author

Level 1

8 points

Jun 15, 2011 10:40 AM in response to throcki

UptimeJeff has been great trying to help. Unfortunately the things we tried and and the tcpdumps did not reveal anything that solves the problem. Any other ideas out there?

Reply

Answer 10

UptimeJeff

Level 4

3,479 points

Jun 15, 2011 10:56 AM in response to throcki

Did you ever try the telnet test from the server?

Try it once with a proper hostname in the helo and another time with the IP in the helo.

This will confirm the issue.

Directions were posted above.

Jeff

Reply

Answer 11

throcki Author

Level 1

8 points

Jun 15, 2011 12:14 PM in response to UptimeJeff

When I do the telnet test I get the following results

Using helo 66.205.130.215

I get a message back from kw.com saying, "554 5.7.1 <66.205.130.215>: Helo command rejected: Local policy prohibits non-alpha helo" right after I do the rcpt to command

Using helo mail.maclan.net

It appears to have sent the message. At the end I got a message from kw.com saying "250 2.0.0 Ok: queued as B9A6B148C1D6"

So this just point back to my system not sending mail.maclan.net in the helo message...

John

Reply

Answer 12

UptimeJeff

Level 4

3,479 points

Jun 15, 2011 12:17 PM in response to throcki

Ping me Thursday by email or ichat jdj_at_mac.com

I'll screenshare to you and we'll figure it out (I have a couple ideas)

Reply