Avatar of grant-ellsworth
grant-ellsworth
 asked on

email thru IIS5.0 smtp relay triggers BAD HELO NO DNS status WHY?

Hello, On a IIS5.0 I have an smtp relay for routing outbound email.  The outbound email is getting trappeed in spam filters for "bad helo no dns"  
Configuration :
1. IIS is running on a Windows 2003 server behind a NAT firewall.  
2. SMTP relay is set to relay only for computers on local  network.
3.  Router is using NAT - no transparent mapping external IPs - router supports one public IP address
4.  Server is behind the NATWall
5.  SMTP TCP Port 25 is open on firwall and is forwarded to WinServer 2003 which is hosting the IIS / SMTP Relay
6.  Inside lan I can telnet to the IIS SMTP relay and get the identifier displayed and enter commands
7.  Outside / from internet, telnet to roter's public ip on port 25 produces black screen - NO id string gets displayed and any attempt to key anything ends the application
Not all email is getting stomped as spam as most recipients do not have this agresssive detection set (bad helo etc)
Local email client is Outlook express equivalent

What do I need to do to geth the smtp relay to be recognized as a valid smtp relay so our emails aren't tomped as spam?
Email ProtocolsWindows Server 2003Microsoft IIS Web Server

Avatar of undefined
Last Comment
grant-ellsworth

8/22/2022 - Mon
moorhouselondon

What do you have in the EHLO setup in IIS?  Does this relate to something observable by an outside entity checking the DNS settings of the Domain mentioned in your EHLO?  

If for example the Domain is a local domain then a recipient checking for the existence of that Domain will not find it.  Check that there are no spurious characters in that field too.

There is also a switch which offers a choice of greeting  with HELO instead of EHLO.
grant-ellsworth

ASKER
The smtp relay isn't responding to anything from the internet - see item 7 in my original problem description.

Also, I don't have a clue about how to setup EHELO or HELO in the IIS5.0 setup.  Where do I go to do what???

>> If for example the Domain is a local domain then a recipient checking for the existence of that Domain >> will not find it.  Check that there are no spurious characters in that field too.
??? Where is this DOMAIN set - what are you referring to as local domain??

>> There is also a switch which offers a choice of greeting  with HELO instead of EHLO.
??? Where is this switch??
moorhouselondon

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
grant-ellsworth

ASKER
I'm wondering is some of my roblem involves the fact that my smtp relay / iis server is behind a NAT-wall and the DNS name/PTR config points at the publick face of the Router ... any thoughts on this?
moorhouselondon

That will work fine, the Public IP address is fixed, rather than dynamic, I assume.  Has Port Forwarding been setup to forward Port 25 at the Public side of your Router to the IP address of your IIS server (which is on a fixed non-DHCP private range IP address)?  More on Port Forwarding here:-

www.portforward.com

Choose Router list from the menu at the top, locate your Router from the list, skip the advert, and choose SMTP from the comprehensive list.
grant-ellsworth

ASKER
Publick IP is fixed.  LAN Server with IIS is Fixed. Port forwarding port 25 TCP to LAN Side server with  IIS / SMTP Relay.  Router is Linkss/Cisco RV4000 - not in the list.  No matter - I know how to set up port forward.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
moorhouselondon

>7.  Outside / from internet, telnet to roter's public ip on port 25 produces black screen - NO id string gets displayed and any attempt to key anything ends the application

If the Port Forwarding is setup ok, and any Firewall straddling the LAN perimeter is allowing SMTP traffic to flow, then there remains the possibility that your Broadband provider is blocking Port 25.
grant-ellsworth

ASKER
Good point. The broadband provider sure ain't blocking port 25 outbound.  I don't know about inbound.  The iis server is in a server farm where there are other servers and, I believe, other servers with active smtp relays - I know there is at least 1 other.  Our router is inside the server farm network our server is one of 2 "behind" the router. So, although I doubt there are any brakes on inbound port 25 traffic in this farm, I will ask the farmer about the borders and fences.  Meanwhile, if you think of something else thaet might be throwing the curve, let me kneow.
moorhouselondon

>our server is one of 2 "behind" the router.

Only one of them can receive Port 25 traffic though, unless there is some fancy config on the router.  How many public IP's are usable on your feed?

Have a play with the Shields Up facility on this site, from your server:-

www.grc.com

Set a Custom Probe up by putting 25 into the box above it and doing a scan for that port only (routers sometimes have a stealth mechanism for hiding away from Port scans).

If Port 25 is shown as Fail then that means Port 25 is reaching your server.  If it says Pass or Stealth then "something" is blocking it.  But what?

It is difficult to troubleshoot something which has a black box at the other end of it, so you need to prod the black box a bit and see what results you get.  Here's my suggestion:-

Setup another Port Forward for say POP3 (Port 110), type in exactly the same Port forwarding Parameters as for 25, and setup firewalls in exactly the same way as for Port 25.  Does POP traffic get through (using Shields Up)?  Yes, then speak to your Broadband Provider.  It's looking more likely (though not certain) that they are curtailing your feed.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
grant-ellsworth

ASKER
grc shleds-up says the port is open.  server 2 has no apps running looking for smtp inbound traffic.  the only server-2 apps running are: sqlserver 2005 and DNS for MS DS (server 2 is primary domain controller for th MS Directory Services krap).

From outside the server farm, I've used telnet to test acces to the relay via port 25. If I turn off the smtp server, connection fails.if the smtp server is turned on, the login attept hangs with blinking cursor on blank black screen, no greeting comes up and any keystroke ends the connection. So I would conclude that I have missed something when seting up the smtp server.  What might it be???
moorhouselondon

6.  Inside lan I can telnet to the IIS SMTP relay and get the identifier displayed and enter commands

You are telnetting to the *same* IP address that is setup in the Router Port Forwarding config?

Or do you have 2 NIC's in the server?  
grant-ellsworth

ASKER
I am telnetting to the router - router is forwarding port 25 to server with IIS/smtp relay.  
---
Since prev communication, I tried some changes in the smtp relay configration.  I am now able to telnet to the relay and see the greeting and enter the helo command.

The changes were:
1.  I removed the constraint in the connections page where I had limited connections to te smtp server only to IP addrs on the lan.  I set connection control to "all except list below" and made sure list was empty.
2.  I set relay restrictions to only IP ddrs on the LAN behind the NAT-Wall.
3.  I left Authentication to "anonymous" to accomodate  exising email client setups.

Results:
1.  I can telnet/helo to the smtp relay
2.  I can send email as before
3.  Outbound email is still flagged as bad helono dns - which is the original problem - HOW DO I FIX THIS???
--------------
More info on the helo / greetings etc..
1.  In my dns, Ihave set an A-record to: publick=IP-address A smtp1.mydomain.com
2.  My farmer's ISP has set up the reverse lookup PTR record correctly
4.  My smtp relay displays in the greeting: mycomputername.mylocal-directory-servicename.mydomain.com
5.  Helo produces the same string as in 4.

So,again - to the original problem - how do I get past getting flagged as spam because of "BAD HELO NO DNS"??
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
moorhouselondon

Do you have the full SMTP handshaking transcript log from the server you can paste here, anonymising anything sensitive?
grant-ellsworth

ASKER
Nope - no log.  how do I get that?
grant-ellsworth

ASKER
FUP - Are you sure I havn't screwed up some setting in my smtp config in IIS?  Seemws to me that the remaining issue is that the HELO returns the direcory services name of my server which is not in the DNSl  I thught it had to be the name of my smtp relay which is inDNS anddoes now have a PTR record.  I "googled" the "BAD HELO NO DNS" colelction and found a couple of pages that said the HELO greeting name wouldbe checked for a DNS A-record.  Seems to me that I gotta change that HELO greeting.  Your thoughts??
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
moorhouselondon

Yes, that's in fact what I meant by my original comment:-

"What do you have in the EHLO setup in IIS?  Does this relate to something observable by an outside entity checking the DNS settings of the Domain mentioned in your EHLO?  "

What you put in that field will be checked against the Reverse DNS/PTR record for the IP sending the mail.  Now in www.grc.com Shields Up the first thing you see is a panel with the following title in red

The text below might uniquely
identify you on the Internet

Does the text that follows...

Your Internet connection's IP address is uniquely associated with the following "machine name":

...match what is in your IIS EHLO field?  If not then you need to speak to your service provider to get it changed.
moorhouselondon

...and yes, the EHLO needs to be for a Domain that is visible from the outside world, *not* a local domain.
grant-ellsworth

ASKER
Somewhere - I lost the link <grr didn't save it - I think it was somewhere on the imgate website but I can't find it now>- I read that some configs of Lotus Domino and Exchange Server would inquire using helo instead of eHelo.  So I chnged my smtp relay param to display the helo greeting.

The GRC report displays the smtp name we assigned to the Router and the PTR reverse lookup.  The Helo greeting displays the computername as it's known inside the Natwall. So, I assume there's a way to change the Helo greeting so it uses the "external" name instead of the lan side computer name.  Where do I go in the MS Mess to do this?
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
ASKER CERTIFIED SOLUTION
moorhouselondon

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
grant-ellsworth

ASKER
Thanks for the reminder.  I now have it "bookmarked"  I got overwhelmed with details not keeping track of what came from where.  I also "bookmarked" http://www.imgate.net/?page_id=130 which has some specific info about the "bad helo no dns".  But all this discussion left me clueless about how to get the helo greeting line to match the DNS name of the ip address and its reverse lookup.  Field labels are soooo misleading.   Like "What do yu mean by 'Doain' in this contaxt? I finally figured it out there are 3 ways to do it:
1.  change/set the DNS A rec and its PTR to reference the DOMAIN name given the SMTP virtual server on the 4th page of the wizard as the Default Domain Name.  NOWHERE is it obvious that THIS is going to be the FQDN broadcst in the Helo msg - also, it seems to gnerate the local computer name as the default "Domain"
2.  After creating a smtp with a bad domain name, go to the properties of the virftual smtp then to the "Delivery Page", then to the "Advanced" option where-in we find the "Fully Qualified Domain Name" - same content as Default Domain described in 1.

Item 2 is the other part of what I needed too sole my "Bad Helo No DNS" issue.

Reviewing the solution:

1.  To enable Helo/EHelo queries to the virtual smtp server, we need to open port 25, and make sure that connections are allowed from any IP. Relay can/should be restricted as needed
2.  To get past the "bad helo no dns" issue, the FQDN of the smtp Helo messdage is captured from its "Doman Name/FQDN" vand must match the name in DNS A-record and in the PTR reverse lookup.
3.  Be awawre of what names which component when using NAT and port forwarding.

Does this sum it up?
grant-ellsworth

ASKER
My summation is is the complete solution.  However, I would not have arrived there without the commentary and links provided by moorhouselondon.