Re: Undeliverable Mail

Well adding an spf record is out of the question. See below:

Yes, our large, cluster-based DNS system is compliant with RFC 1035. It
does support the use of TXT records. The actual DNS system itself, that is.
But we use a third party DNS management tool (NicTool) which does NOT support
the use of TXT records at this time.

TXT records have been around forever, but have never been used for any real
purpose, prior to SPF. Because TXT records were not used for anything at the
time, the designers of NicTool did not develop TXT record functionality into
the product. My understanding is that this is being or has been added to
newer versions of NicTool. However, because the cost to upgrade our very
large DNS system, and the serious potential for customer downtime in the
process, we are not going to be making this upgrade until ONE sender
authentication protocol is selected by the IETF as the OFFICIAL accepted
protocol. Currently, there are a number of different solutions being
developed around the world, with SPF being only one of them. While SPF is
widely used across the board, no postmaster in his right mind would block
mail solely based upon SPF, as it is not yet an adopted STANDARD. With SPF
not being a single, internationally recognized answer for the sender
authentication problem, and wit!
h no non-SPF reason to have TXT records enabled, it is not economically
feasible to risk the cost and downtime as of yet



"Ben Winzenz [Exchange MVP]" wrote:

> I thought about the way I had typed that, but I still stand by it. I can't
> stand it when ISP's or hosting providers play dumb because they don't want
> to do something (which is probably what the case is here).
>
> As far as the Cisco PIX, I can't speak to the programming, but here's the
> overview of what Mailguard does. It's on by default, BTW - you have to
> specifically disable it. Mailguard basically disables all ESMTP commands,
> limiting remote servers to only basic smtp commands. For example, HELO is a
> basic SMTP greeting, while EHLO is an Enhanced (ESMTP) command. If you
> telnet to your server (from outside) and issue a EHLO command, the PIX will
> block the command and you'll get back a 500 5.3.3 Unrecognized command
> response. Technically, it shouldn't cause issues, but prevents using some
> of the more useful ESMTP commands. If you want to disable it, follow the
> instructions in this KB article.
> http://support.microsoft.com/kb/320027/
>
> As far as logging, if you enabled SMTP Protocol logging, you will find the
> logs in the c:\windows\system32\logfiles\smtpsvc1 directory. It's enabled
> on the properties of the Default SMTP Virtual server.
>
> --
> Ben Winzenz
> Exchange MVP
> MessageOne
> Read my blog!
> http://winzenz.blogspot.com
> http://feeds.feedburner.com/winzenz (RSS Feed)
>
>
> "ESI" <ESI@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:A5C01817-8344-4A56-8C1F-CCC4E3D8EA4E@xxxxxxxxxxxxxxxx
> > How do you like Interland now? HEH Well I will push the issue some, we are
> > switching hosts within a month to IKH. Hopefully they will have a better
> > department for handling these issues.
> > Well I did some more testing at work. I can telnet to their server
> > (AOL)and
> > send mail that way. So I did come across something. Now while trolling the
> > aol postmaster site I did find this snippet:
> > Queuing Mail
> >
> >
> > If the email you are attempting to send to America Online is queuing in
> > your
> > Outgoing Mail Server there are steps you can take to troubleshoot and
> > correct
> > the problem.
> >
> > You have a Cisco pix firewall.
> >
> > Please contact Cisco you may need to increase DNS packet size.
> > DNS Caching.
> >
> > Please contact your system administrator. DNS caching is known to cause
> > mail
> > queuing when sending to the AOL mail server. Specifying IP address of
> > AOL's
> > relay servers is also known to cause this issue.
> >
> > I'll have to contact the company that setup our server and pix as they
> > said
> > the work on the pix is all command line. Personally I think they should do
> > it
> > for free as this is an ongoing problem. But that's my fight. But at the
> > same
> > time I was going to inquire about the mailguard. You said it doesn't need
> > to
> > be run, the admin at dnsstuff said it looks like bad programming on
> > whoever
> > set it up. I can't find any info as to what mailguard does and if we
> > really
> > do/do not need it.
> >
> > I setup logging, I may have done it right, or not. I ddin't see any text
> > as
> > to smtp prtotocols. I also setup alerts for SBS2K3, and I got an email
> > saying
> > there was a lot of email sitting in the queue. Which prompted me to search
> > for queue on aol. I did notice after an hour the log was 5MB. Reading
> > through
> > what I could make out, there is a whole lot of mail in there that isn't
> > from
> > our company although the sender shows an bogusname@xxxxxxxxxxxxxxxxxx And
> > alot of email to postmaster saying stop sending we don't have that
> > address.
> >
> > Well I think I'm getting somewhere. just not sure where. Thanks for all
> > your
> > help.
> >
> > "Ben Winzenz [Exchange MVP]" wrote:
> >
> >> Interland is a bunch of morons then. SPF records are DNS resource
> >> records
> >> of type TXT. If they don't know how to do that, and want to cop out and
> >> say
> >> their servers don't support it (which I'd submit is a load of crap), they
> >> don't deserve to be a hosting provider, or at least don't deserve your
> >> business. RFC 1035 (http://www.faqs.org/rfcs/rfc1035.html) defines DNS
> >> resource record types, which include TXT. Since it was submitted in, oh,
> >> 1987!, saying their servers doesn't support creating TXT records is
> >> nonsense, unless their server is totally non-RFC compliant, in which
> >> case,
> >> again, they should not be a hosting provider. You might try getting
> >> ahold
> >> of one of their senior network folks. In many cases, the level 1 folks
> >> aren't real bright when it comes to dealing with stuff like that.
> >>
> >> AOL adding your IP to *their* whitelist shouldn't be a big deal. It's on
> >> their end, not yours. I would have been more than suspicious if they had
> >> asked you to add their server to your whitelist, though :-)
> >>
> >> You enabled logging means......you enabled SMTP Protocol logging? If so,
> >> make sure that you enabled all the advanced logging options. If you
> >> can't
> >> interpret what it is saying (which is ok), please post the relevant
> >> section
> >> of the smtp log that shows the conversation between your server and AOL's
> >> server.
> >>
> >> --
> >> Ben Winzenz
> >> Exchange MVP
> >> MessageOne
> >> Read my blog!
> >> http://winzenz.blogspot.com
> >> http://feeds.feedburner.com/winzenz (RSS Feed)
> >>
> >>
> >> "ESI" <ESI@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:8CE77EF5-D6CB-4C5D-90E4-55B8C2D308B1@xxxxxxxxxxxxxxxx
> >> > Well I'm still on a quest to send email to aol and yahoo. Your
> >> > suggestion
> >> > to
> >> > add an SPF record applies to our domain hosted by interland. I sent
> >> > them a
> >> > ticket request for that addition. Their servers do not support that:
> >> >
> >> > Unfortunately, at this time, we are unable to create an SPF record for
> >> > the
> >> > domain. This is not supported by our servers.
> >> >
> >> > I contacted AOL and they wanted me to submit our IP to there whitelist.
> >> > I
> >> > didn't see any harm in that, although perplexed as to why I had to.
> >> > That
> >> > request was approved. Still no email going through.
> >> >
> >> > I enabled logging of the exchange server. I look at the log, I see
> >> > where
> >> > the
> >> > user sent an email, just not quite sure what else in the maze of
> >> > gobbledygook
> >> > listed shows errors or what not. I get a 4.4.7 error in the returned
> >> > email.
> >> > Does that help?
> >> >
> >> > "Ben Winzenz [Exchange MVP]" wrote:
> >> >
> >> >> You can ignore the Warning on the mail server host name in greeting.
> >> >> That
> >> >> only applies to inbound mail. The cause is that you have a Cisco PIX
> >> >> with
> >> >> the Mailguard feature turned on. You don't need it enabled, and it
> >> >> can
> >> >> potentially cause problems with other mail systems trying to send mail
> >> >> to
> >> >> you, but it won't cause the problem of not being able to send mail to
> >> >> yahoo
> >> >> or aol. If you want to get rid of that warning, then disable
> >> >> Mailguard
> >> >> on
> >> >> your PIX.
> >> >>
> >> >> You may want to registry SPF records, as dnsreport suggests. Looks
> >> >> like
> >> >> they have a wizard that walks you through how to set up the SPF
> >> >> record.
> >> >> SPF
> >> >> records are registered as TXT records (versus say A or MX records).
> >> >>
> >> >> --
> >> >> Ben Winzenz
> >> >> Exchange MVP
> >> >> MessageOne
> >> >> Read my blog!
> >> >> http://winzenz.blogspot.com
> >> >> http://feeds.feedburner.com/winzenz (RSS Feed)
> >> >>
> >> >>
> >> >> "ESI" <ESI@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> news:0533A4AD-1D3B-4BED-8C78-FE95AFAAB5EF@xxxxxxxxxxxxxxxx
> >> >> > The ISP has re-directed the ptr record back to the
> >> >> > mail.esi-extrusion.com.
> >> >> > I
> >> >> > went to the reverse dns on dnsstuff.com and it apparently is
> >> >> > working. I
> >> >> > still
> >> >> > cannot send email to yahoo or aol accounts. When I put in
> >> >> > esi-extrusion.com
> >> >> > in dnsreport.com checker, it still shows the same errors. I don't
> >> >> > know
> >> >> > what
> >> >> > else to change . Any ideas?
> >> >> >
> >> >> > "Ben Winzenz [Exchange MVP]" wrote:
> >> >> >
> >> >> >> You would be asking your ISP to map the PTR record for the IP
> >> >> >> address
> >> >> >> back
> >> >> >> to mail.esi-extrusion.net. It needs to match the name of the
> >> >> >> sending
> >> >> >> server. Note that your ISP may not be willing to do this. It
> >> >> >> isn't
> >> >> >> an
> >> >> >> unreasonable request, but some ISP's won't do it.
> >> >> >>
> >> >> >> A Smarthost simply means that instead of your server directly
> >> >> >> connecting
> >> >> >> to
> >> >> >> the target server, you will forward all mail to your ISP first, and
> >> >> >> your
> >> >> >> ISP
> >> >> >> will do the actual delivery of the mail. ISP's typically will
> >> >> >> allow
> >> >> >> their
> >> >> >> customers to do this.
> >> >> >>
> >> >> >> Did the company that setup your server indicate what the tweak was?
> >> >> >> Regardless, if you are able to resolve MX records for yahoo and
> >> >> >> aol,
> >> >> >> it
> >> >> >> won't be a problem with your DNS server.
> >> >> >>
> >> >> >> --
> >> >> >> Ben Winzenz
> >> >> >> Exchange MVP
> >> >> >> MessageOne
> >> >> >> Read my blog!
> >> >> >> http://winzenz.blogspot.com
> >> >> >> http://feeds.feedburner.com/winzenz (RSS Feed)
> >> >> >>
> >> >> >>
> >> >> >> "ESI" <ESI@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> >> news:3645EA9A-C86D-4FCD-945D-85F36E1E948A@xxxxxxxxxxxxxxxx
> >> >> >> > When we switched from Interland hosting our email to hosting our
> >> >> >> > own,
> >> >> >> > it
> >> >> >> > was
> >> >> >> > quite a feat to get them to understand what needed changed, as I
> >> >> >> > remember
> >> >> >> > our
> >> >> >> > server IT person had to walk them thru it. Quite conceiveably
> >> >> >> > they
> >> >> >> > didn't
> >> >> >> > do
> >> >> >> > it correctly.
> >> >> >> >
> >> >> >> > We do have a static ip for our Exchange Server. SBC is our ISP
> >> >> >> > and
> >> >> >> > our
> >> >> >> > website is hosted by Interland currently. I want to be sure, I am
> >> >> >> > asking
> >> >> >> > SBC
> >> >> >> > to re-map our ptr record back to esi-extrusion.com and not
> >> >> >> > interland?
> >> >> >> >
> >> >> >> > I'm do not know what Smarthost is. I'm sorry. I'm going to do a
> >> >> >> > search
> >> >> >> > and
> >> >> >> > read up on it shortly.
> >> >> >> >
> >> >> >> > I know people in general don't like to help newbies or generally
> >> >> >> > stupid
> >> >> >> > people thrust into a position by their company. If I get this all
> >> >> >> > worked
> >> >> >> > out,
> >> >> >> > just know that someone will think your a hero.
> >> >> >> >
> >> >> >> > "Ben Winzenz [Exchange MVP]" wrote:
> >> >> >> >
> >> >> >> >> You have a PTR record, but it does not map to your MX record.
> >> >> >> >> If a
> >> >> >> >> receiving mail server is doing a reverse-DNS lookup, then the
> >> >> >> >> PTR
> >> >> >> >> record
> >> >> >> >> will not match the name that the server says it is and could
> >> >> >> >> cause
> >> >> >> >> the
> >> >> >> >> connection to be rejected.
> >> >> >> >>
> >> >> >> >> Do you have a static IP address, or is this a dynamic IP? If
> >> >> >> >> it's
> >> >> >> >> a
> >> >> >> >> dynamic
> >> >> >> >> IP, then you won't have any control over this. If static, you
> >> >> >> >> can
> >> >> >> >> ask
> >> >> >> >> your
> >> >> >> >> ISP to modify the PTR record to map back to
> >> >> >> >> mail.esi-extrusion.com,
.

Loading