This is on a new installation of Exchange 2010. One or our vendors has a spam filter that they say is blocking outbound mail to our server. with this error" 554 5.7.1 This message has been blocked because the HELO/EHLO domain is invalid. We have not had an issue with any other emails (that we know of). domainA.net MX=mail.domainA.net vendor.com MX=mail.vendor.com when I telnet to my server from one of our clients sites, this is what I get 220 mail.domainA.net Microsoft ESMTP MAIL Service ready at Fri, 19 Feb 2010 09:34:52 -0600 ehlo 250-mail.domainA.net Hello [public IP] 250-SIZE 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-AUTH NTLM 250-8BITMIME 250-BINARYMIME 250 CHUNKING mail from: mail from:user1@domainA.net 501 5.1.7 Invalid address 250 2.1.0 Sender OK rcpt to:user1@domainA.net 554 5.7.1 This message has been blocked because the HELO/EHLO domain is invalid. After seeing this I'm starting to think that my mail server is blocking them. If I go to an unrelated mail server and telnet to my mail server. <!-- [if gte mso 10]> <mce:style> 220 mail.domainA.net Microsoft ESMTP MAIL Service ready at Fri, 19 Feb 2010 09:42:27 -0600 ehlo mail.domainB.org 250-mail.domainA.net Hello [public IP that points to mail.domainB.org ] 250-SIZE 250-DSN 250-ENHANCEDSTATUSCODES 250-STARTTLS 250-AUTH NTLM 250-8BITMIME 250-BINARYMIME 250 XXXXXXXX mail from:user1@domainA.net 250 2.1.0 Sender OK ma rcpt to:user1@domainA.net 500 5.3.3 Unrecognized command 250 2.1.5 Recipient OK And moving on to the issue at hand. If I telnet to mail.vendor.com and type ehlo domainA.net 220 spamfilter.vendor.com ESMTP SonicWALL (7.1.2.2233) ehlo domainA.net 250-spamfilter.vendor.com 250-8BITMIME 250-ENHANCEDSTATUSCODES 250 SIZE If I telnet to mail.vendor.com and just type ehlo 220 spamfilter.vendor.com ESMTP SonicWALL (7.1.2.2233) ehlo 501 5.5.2 HELO requires domain address So, All I can think of is two possible scenarios. Scenario #1 When a user at vendor.com sends an email to a user at domainA.net , the mail server at domainA.net does not respond with the proper domain name in the helo/ehlo message. The spamfilter.vendor.com server then blocks the message from being sent, and sends the error message to the sender. 554 5.7.1 This message has been blocked because the HELO/EHLO domain is invalid. Scenario #2 When a user at vendor.com sends an email to a user at domainA.net , the mail server at domainA.net sees that the server name listed the SMTP message does not match the MX record for the domain. The mail server at domainA.net responds with an error and closes the connection. The error being... 554 5.7.1 This message has been blocked because the HELO/EHLO domain is invalid. ====================================== My brain is wore out and I could use some help. I apologize now, if I've left out any important info

Hi,Your story is a little bit confusing because the scenario's you mention doesn't match with the examples.So I had a look at the examples you gave and here's a short explanation per example1) it can be that the receive connector with the anonymous authentication method doesn't match an IP of the internal client, in this case the other receive connector is used which requires authentication. If you will perform the same test from Outlook it will work.2) no explanation needed I think3) no explanation needed I think4) I think this is required because of the RFC821So when looking at the issue it looks like there is a missing helo/ehlo domain on the send connector. Please check the send connector and make sure it contains a correct value.Regards,Johan Exchange-blog: www.johanveldhuis.nl

Sorry for the confusion and thank you for your reply. I have checked my send connector on my exchange server. For this example it is mail.domainA.net This should be the mx record for my domain right? What confuses me is that the admin at the vendor says it's my issue, but when I telnet to their mail server the SMTP helo/ehlo domain is not the same as the MX record for the domain.

Hi,Yes in most cases this is true. OK but if they say it's an issue with your server why do you only have it with that specific vendor ?Regards,JohanExchange-blog: www.johanveldhuis.nl

That's what I was thinking. If my server was not sending a valid helo domain then most mails servers would end the connection right?

After the network admin tells me that all is well with the firewall/router and I bang my head against the desk, I ask him to disable all the firewall policies for the mail server route just for testing. After he does that everything starts working the way I expect it to. I forgot the first rule of troubleshooting... SIMPLIFY!!!! Now HE gets to have some fun.