diff --git a/qubes/firewall.py b/qubes/firewall.py
index a9d195e8..86397802 100644
--- a/qubes/firewall.py
+++ b/qubes/firewall.py
@@ -123,7 +123,8 @@ class DstHost(RuleOption):
                     self.type = 'dsthost'
                     self.prefixlen = 0
                     safe_set = string.ascii_lowercase + string.digits + '-._'
-                    assert all(c in safe_set for c in untrusted_value)
+                    if not all(c in safe_set for c in untrusted_value):
+                        raise ValueError('Invalid hostname')
                     value = untrusted_value
         else:
             untrusted_host, untrusted_prefixlen = untrusted_value.split('/', 1)
diff --git a/qubes/tests/firewall.py b/qubes/tests/firewall.py
index f4594d45..f70bbef3 100644
--- a/qubes/tests/firewall.py
+++ b/qubes/tests/firewall.py
@@ -202,7 +202,6 @@ class TC_02_DstHost(qubes.tests.QubesTestCase):
         with self.assertRaises(ValueError):
             qubes.firewall.DstHost('2001:abcd:efab::3/64')
 
-    @unittest.expectedFailure
     def test_020_invalid_hostname(self):
         with self.assertRaises(ValueError):
             qubes.firewall.DstHost('www  qubes-os.org')