Problem with DA Multiserver (Bad HELO)

X

Xen

New member
Joined
Mar 13, 2016
Messages
9
We have two DA-based servers. The second is installed last week. There is an error 'Bad HELO'.

The current situation

Server 1
Hostname srv1.domain.com
Nameservers ns1.domain.com & ns2.domain.com
IP xxx.xxx.xxx.001 & xxx.xxx.xxx.002

Notable DNS settings:
srv1.domain.com. A xxx.xxx.xxx.001
srv1.domain.com. NS ns1.domain.com.
srv1.domain.com. NS ns2.domain.com.


Server 2
Hostname srv2.domain.com
Nameservers ns3.domain.com & ns4.domain.com
IP xxx.xxx.xxx.003

Notable DNS settings:
srv2.domain.com. A xxx.xxx.xxx.003
srv2.domain.com. NS ns1.domain.com.
srv2.domain.com. NS ns2.domain.com.

Settings at domain registry:
ns1.domain.com xxx.xxx.xxx.001
ns2.domain.com xxx.xxx.xxx.002
ns3.domain.com xxx.xxx.xxx.003
ns4.domain.com xxx.xxx.xxx.003


I linked both servers with the DA Multiserver function. DA stores all DNS values on the mainserver (Server 1).
When I send a Welcome mail for a user that is created on Server 2 to a mail address that is active on Server 2 I get the error below.

/var/log/exim/rejectlog on Server 1:
2016-03-22 17:17:53 H=srv2.domain.com [xxx.xxx.xxx.003] rejected EHLO or HELO srv2.domain.com: Bad HELO - Host impersonating domain name [srv2.domain.com]


What causes this problem?
 
You probably don't have an MX record for domain.com where serv2 is sending for. Or something is wrong with it or the domain does not exist on that server.
So it presents a wrong hostname as helo to the mailserver.

Check your domain with intodns.com or with http://mxtoolbox.com/ if your mx is setup correctly.
 
I ran all the test. There are no errors except a missing DMARC.

I made some changes:

Server 1
Hostname srv1.domain.com
Nameservers ns1.domain.com & ns2.domain.com
IP xxx.xxx.xxx.001

Notable DNS settings:
srv1.domain.com. A xxx.xxx.xxx.001
srv1.domain.com. NS ns1.domain.com.
srv1.domain.com. NS ns2.domain.com.


Server 2
Hostname srv2.domain.com
Nameservers ns1.domain.com & ns2.domain.com
IP xxx.xxx.xxx.003

Notable DNS settings:
srv2.domain.com. A xxx.xxx.xxx.003
srv2.domain.com. NS ns1.domain.com.
srv2.domain.com. NS ns2.domain.com.


Settings at domain registry
ns1.domain.com xxx.xxx.xxx.001
ns2.domain.com xxx.xxx.xxx.003

Also I added the hostname to '/etc/virtual/whitelist_hosts' and the IP to '/etc/virtual/whitelist_hosts_ip'.

Mail from Server 1 to Server 2 is working now. In reverse direction (Server 2 --> Server 1) I still get an error.


I use the same domain for both servers. The hostname differs.
Can that be a reason for conflicts?
 
use the same domain for both servers. The hostname differs.
Can that be a reason for conflicts?
Click to expand...
Yes for sure. Check you MX records, you can't have your main MX record of a domain pointing to 2 different servers.
It's better and easier (for more then 1 reason) to just use different domains on both servers.
 
Hi i've faced the same problem, i've solved it by editing exim.conf in the mail server like this

just after #EDIT#16
hostlist relay_hosts = net-lsearch;/etc/virtual/pophost

i've added this line

hostlist allowed_helo = net-lsearch;/etc/virtual/allowed_helo

and changed #EDIT#25 from this

# deny if the HELO pretends to be one of the domains hosted on the server
deny message = HELO_IS_LOCAL_DOMAIN
condition = ${if match_domain{$sender_helo_name}{+local_domains}{true}{false}}
hosts = ! +relay_hosts
accept

to this

# deny if the HELO pretends to be one of the domains hosted on the server
deny message = HELO_IS_LOCAL_DOMAIN
condition = ${if match_domain{$sender_helo_name}{+local_domains}{true}{false}}
hosts = ! +relay_hosts
hosts = ! +allowed_helo
accept

finally i've added the first server ip in /etc/virtual/allowed_helo and restarted exim
 
Thanks For this Info it works a treat, really appreciated you posted this.
Cheers





QUOTE=tafaz;273362]Hi i've faced the same problem, i've solved it by editing exim.conf in the mail server like this

just after #EDIT#16
hostlist relay_hosts = net-lsearch;/etc/virtual/pophost

i've added this line

hostlist allowed_helo = net-lsearch;/etc/virtual/allowed_helo

and changed #EDIT#25 from this

# deny if the HELO pretends to be one of the domains hosted on the server
deny message = HELO_IS_LOCAL_DOMAIN
condition = ${if match_domain{$sender_helo_name}{+local_domains}{true}{false}}
hosts = ! +relay_hosts
accept

to this

# deny if the HELO pretends to be one of the domains hosted on the server
deny message = HELO_IS_LOCAL_DOMAIN
condition = ${if match_domain{$sender_helo_name}{+local_domains}{true}{false}}
hosts = ! +relay_hosts
hosts = ! +allowed_helo
accept

finally i've added the first server ip in /etc/virtual/allowed_helo and restarted exim[/QUOTE]
 
You must log in or register to reply here.
Back
Top