Troubleshooting Tip: Invalid EHLO/HELO domain

FortiMail

FortiMail provides advanced, multi-layer protection against the full spectrum of email-borne threats

Article Id 420601

Description

This article describes how to troubleshoot an invalid EHLO/HELO domain.

Scope

FortiMail v7.6.x, v7.4.x, v7.2.x, v7.0.x.

Solution

If 'Check HELO/EHLO domain' is enabled in a session profile that is used in the IP policy, then the email may be rejected because this check fails:

When FortiMail performs the EHLO/HELO check, it makes an MX (first) or A query for the domain used by the sender in the EHLO/HELO command during session initialization. If the response matched the value in the EHLO/HELO command, the check is successful.

To perform the same check manually, run this command:

execute nslookup name <domain_from_ehlo/helo>

Or run this command:

execute nslookup name < domain_from_ehlo/helo > type mx

In the example above, the MX or A query failed. Because of this, the HELO/EHLO check failed.

To solve this, the sender should have either an MX or an A record published for the SMTP greeting name.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Troubleshooting Tip: Invalid EHLO/HELO domain

You are leaving our website