Email sending error: 550 Access denied – Invalid HELO name

An error message ‘550 Access denied – Invalid HELO name’ appears when sending email through outlook or other mail clients on exim / cPanel server. The message reads as follows:

Task ‘email address – Sending’ reported error (0x800CCC78): ‘Cannot send the message. Verify the email address in your account properties. The server responded: 550 Access denied – Invalid HELO name (See RFC2821’
Email Sending: 550 Access denied – Invalid HELO name

After investigating the error message in exim mail server logs /var/log/exim_mainlog on the cPanel server, it was not clear why this error was being generated. How can a client send invalid HELO? They are using their own email account on the server. Google search did not help. Many cPanel users suggested disabling invalid HELO check in Exim Configuration. However disabling that will result in a lot of incoming spam from bots for all clients. User was just trying to send email through their account i.e. relaying it.

And that is the clue: Email Relay. Client was using old antirelayd system which relies on SMTP relay after IMAP/POP3 authentication. That old system is disabled to increase the security of the server. To relay email through the server requires SMTP authentication using the same login information as POP3/IMAP.

The following screen shot shows how to enable this in Microsoft Outlook. This is usually found under More Settings of an email account. Select the Outgoing Server tab and check the My outgoing server (SMTP) requires authentication. The first radio button will use same username/password combination used by incoming mail server (either POP3 or IMAP). This way you do not have to update it at two places when you change the email account password.

Outlook Email Settings – My outgoing server (SMTP) requires authentication

As soon as the SMTP authentication is activated, emails can be relayed from the server and there is no invalid HELO name error.