Re: Exchange reverse DNS problems
- From: Joe <joe@xxxxxxxxxxxxxx>
- Date: Mon, 22 Oct 2007 21:58:56 +0100
mctwist wrote:
Hi, I have a problem with a couple of my clients with some new anti-
spam filters. Those clients run SBS 2003, and are all setup with
Exchange, either with POP3 Connector, or each user as a POP account on
their computer, which then saves their email on Exchange.
The problem I'm having is that they try to send emails to a local
University, and it's being rejected by them because it can't perform a
reverse DNS lookup on my clients server. I'm receiving those messages:
ERROR: The IP of one or more of your mail server(s) have no reverse
DNS
(PTR) entries. RFC1912 2.1 says you should have a reverse DNS for all
your mail servers. It is strongly urged that you have them, as many
mailservers will not accept mail from mailservers with no reverse DNS
entry.
<SERVER.business.local #4.7.1 smtp;450 4.7.1 Client host rejected:
cannot find your hostname, [xxx.xxx.34.21]>
I changed the IP in the last message, but it represents their public
IP. As you can see, the local domain name doesn't match their email
addresses (local domain would be in the format business.local, while
email address domain would be in the @ent-business.com format, it's
not their actual domain, just use for exemple purposes). I already
changed their recipient policies to match their email. I have a good
understanding of what needs to be done, but need confirmation/
clarification on a couple of things.
This is what I think needs to be done, and what I need more info on.
Please correct me if I'm wrong.
1- I need to create an A record at their ISP or web provider DNS
pointing to the public IP of my server.
At the company holding the domain name registration.
2- I know I need to create a PTR (reverse DNS) for my IP, but is it
with the ISP or on their web provider DNS? (I think one client as
their web package with their ISP, the other with a hosting company)
The owner of the IP address i.e. the ISP does that.
3- An MX record also as to be created for their server, and I plan to
setup 2 MX record with different priorities. First one would be their
server, the other with the ISP or web provider. That way, if their
server is down for maintenance, their email will still be working, and
I plan to keep the POP3 Connector setup for that purpose, which would
check every couple hours.
There is a school of thought that suggests a backup MX is a liability, unless you expect the main server to be out for more than a few hours at a time. The backup MX usually runs fewer checks and is easier to spam, as it has no idea of valid user names.
4- I know I will need to re-run the CEICW and adjust a few settings
there so that it will send emails through DNS, and set retrieval by
POP3 Connector and Use Exchange (mail delivered directly).
I think that pretty much sums up what needs to be done, but looking at
the second error message, I notice that the emails sent look as they
are coming from the business.local domain. What do I need to do to
change that so that it will appear as their email domain (ent-
business.com)? Is it in the SMTP virtual server? Do I need to change
the FQDN in the advanced delivery tab? What do I need to put in there?
Do I need to make changes to my internal DNS?
The FQDN here is sent as the HELO to the receiving mailserver. Ideally it is a hostname i.e. not just the domain name. It must have a valid DNS A record, as this will be examined, ('cannot find your hostname' above) and that should resolve to your public IP address. The PTR record, whatever it is, should resolve to the IP address it is set up for, i.e. there must be an A record for the PTR hostname which returns the IP address, which is obvious but sometimes overlooked as they may be maintained by different companies. Ideally the PTR should match the HELO and primary MX record, though the hostname doesn't need to correspond to a real computer of that name, and mail.domain.com is commonly used.
Most mailservers accept some deviation in naming e.g. my PTR points to a valid subdomain of my ISP, which is mine but is never used. It certainly doesn't match any of my domains' MX records or my mail server HELO. None of the domain names I use bear any relationship to this ISP account. I'm sure there are servers in the world that will reject mail from me, but the fussiest one I send to regularly is AOL, and they're not bothered. As long as there is a valid DNS entry for everything, most mail servers are happy.
I go along with that, and my server accepts mail where DNS is all in order, even where the hostnames don't match. Usually the spammers can't be bothered setting up consistent DNS, and mostly they're on dynamic IP addresses where that isn't possible. It's quite tedious getting everything to match for multiple domains, though it can be done if the mail server adjusts its HELO according to the 'sending' domain. Multiple PTR records for one IP address are permitted, though whether your ISP can be persuaded to implement them is another matter. SPF records are probably easier to organise.
If you don't know about it, look at www.dnsreport.com, which allows you a query a day free, and makes some quite detailed checks. Don't worry about all the warnings, just fix the red things.
Please let me know If or what I overlooked, and give me your thoughts
on this issue. I managed to get the University to put an exception for
30 days so that my client will be able to send mail, but I would
really like to have a solution soon so that I can work on that early
next week (I'm out of the office Thursday and back on Monday).
.
- References:
- Exchange reverse DNS problems
- From: mctwist
- Exchange reverse DNS problems
- Prev by Date: Re: GPO to lock down TS sessions on SBS
- Next by Date: SBS 2003 Exchange - "undeliverable" message failures not timely
- Previous by thread: Exchange reverse DNS problems
- Next by thread: Re: Exchange reverse DNS problems
- Index(es):
Relevant Pages
|
