This plugin performs a number of checks on the HELO string.

HELO strings are very often forged or dubious in spam and so this can be a highly effective and false-positive free anti-spam measure.


helo.checks results can be accessed by subsequent plugins:

var h = connection.results.get('helo.checks');
if (h.pass && h.pass.length > 5) {
    // nice job, you passed 6+ tests
if (h.fail && h.fail.length > 3) {
    // yikes, you failed 4+ tests!
if (connection.results.has('helo.checks','pass', /^forward_dns/) {
    // the HELO hostname is valid


  • helo.checks.regexps

    List of regular expressions to match against the HELO string. The regular expressions are automatically wrapped in ^ and $ so they always match the entire string.

  • helo.checks.ini

    INI file which controls enabling of certain checks:

    • dns_timeout=30

      How many seconds to wait for DNS queries to timeout.


* valid\_hostname=true

  Checks that the HELO has at least one '.' in it and the organizational
  name is possible (ie, a host within a Public Suffix).

* bare\_ip=true

  Checks for HELO <IP> where the IP is not surrounded by square brackets.
  This is an RFC violation so should always be enabled.

* dynamic=true

  Checks to see if all or part the connecting IP address appears within
  the HELO argument to indicate that the client has a dynamic IP address.

* literal\_mismatch=1|2|3

  Checks to see if the IP literal used matches the connecting IP address.
  If set to 1, the full IP must match.  If set to 2, the /24 must match.
  If set to 3, the /24 may match, or the IP can be private (RFC 1918).

* match\_re=true

  See above. This is merely an on/off toggle.

* big\_company=true

  See below. This is merely an on/off toggle.

* forward\_dns=true

  Perform a DNS lookup of the HELO hostname and validate that the IP of
  the remote is included in the IP(s) of the HELO hostname.

  This test requires that the valid\_hostname check is also enabled.

* rdns\_match=true

  Sees if the HELO hostname (or at least the domain) match the rDNS

* mismatch=true

  If HELO is called multiple times, checks if the hostname differs between
  EHLO invocations.

* proto\_mismatch=true

  If EHLO was sent and the host later tries to then send HELO or vice-versa.


For all of the checks included above, a matching key in the reject section
controls whether messages that fail the test are rejected.

Defaults shown:



* private\_ip=true

  Bypasses checks for clients within RFC1918, Loopback or APIPA IP address ranges.

* relaying

  Bypass checks for clients who have relaying privileges (whitelisted IP,
  SMTP-AUTH, etc).


  A list of <helo>=<rdns>[,<rdns>...] to match against. If the HELO matches
  what's on the left hand side, the reverse-DNS must match one of the
  entries on the right hand side or the mail is blocked.