jhhaley
asked on
Reverse DNS Question
Emails are failing to one of our customers. The returned email reflects the public ip, but not the host name (smith.com). I'm confident this is reverse dns issue. I need to contact my ISP, but I need some advice before doing so.
Our registed domain smith.hst.com is different from our mail domain which is smith.com.
Our ns1 record, "ns1.smithhst.com" is pointed to 65.175.184.129. This is only an example and not our actual company name or ip address. The referenced public ip is the outside interface of our fatpipe running SmartDNS, but is the ip that reflects in the mail headers on the failed email transmissions. Outgoing internet email goes across our internet T1 out to the internet. All incoming internet email, bound for smith.com, comes back, accross the internet to our corporate headquarters, across our frame connection to our local mail server located inside our network. That local mail server is on the smith.com domain. An example of our email address would be "jdoe@smith.com"
Would I setup reverse dns as follows:
129.184.175.65 IN PTR ns1.smithhst.com
I want to make sure that the mail continues to be associated with the smith.com domain.
Currently the ISP is listed as the Primary DNS. At least that's what I noted a few minutes ago when I was doing an automated request for a Reverse DNS change. Perhaps I need to change the primary to our fatpipe. I may also need to create an MX record and point it back to the vestcom domain. I could create a seperate public IP just for the mail server and enter this on the fatipe.
Any suggestios?
Our registed domain smith.hst.com is different from our mail domain which is smith.com.
Our ns1 record, "ns1.smithhst.com" is pointed to 65.175.184.129. This is only an example and not our actual company name or ip address. The referenced public ip is the outside interface of our fatpipe running SmartDNS, but is the ip that reflects in the mail headers on the failed email transmissions. Outgoing internet email goes across our internet T1 out to the internet. All incoming internet email, bound for smith.com, comes back, accross the internet to our corporate headquarters, across our frame connection to our local mail server located inside our network. That local mail server is on the smith.com domain. An example of our email address would be "jdoe@smith.com"
Would I setup reverse dns as follows:
129.184.175.65 IN PTR ns1.smithhst.com
I want to make sure that the mail continues to be associated with the smith.com domain.
Currently the ISP is listed as the Primary DNS. At least that's what I noted a few minutes ago when I was doing an automated request for a Reverse DNS change. Perhaps I need to change the primary to our fatpipe. I may also need to create an MX record and point it back to the vestcom domain. I could create a seperate public IP just for the mail server and enter this on the fatipe.
Any suggestios?
>I'm confident this is reverse dns issue.
Cool. Can you post the exact error message you are getting (or the actual bounced message?)
Cheers,
-Jon
Cool. Can you post the exact error message you are getting (or the actual bounced message?)
Cheers,
-Jon
ASKER
Here is an example of the returned message:
xxxx.xxxxxxx@xxxxxxxxxxxx.
The message was undeliverable because the recipient specified in the recipient postal address was not known at this address
The MTS-ID of the original message is: c=US;a= ;p=smith;l=MAILXXXX-040928
MSEXCH:IMS:smith:Mid South:MAILXXXX 3450 (000B09AA) 450 Client host rejected: cannot find your hostname, [65.175.184.129]
I just received a phone call from the company stating it bounced because because there was no reverse translation. I've got two weeks to get this fixed. I contacted my ISP yesterday and it will be Monday before they call me back.
I do appreciate the help. I guess my primary concern was not just setting up the reverse translation and the MX record but making sure the email goes back thru the corporate domain "smith.com" instead of my returning to my domain "ns1.smithhst.com"
I'll also VPN into work and look at the Exchange DNS settings. We're still on Exchange 5.5.
Thanks a Heap!
> 450 Client host rejected: cannot find your hostname, [65.175.184.129]
You need to arrange with whoever hosts reverse DNS for 65.175.184.* (184.175.65.in-addr.arpa domain) to insert a PTR record for 129, or delegate 129 to another server where you can arrange this.
In most cases, it won't matter what host name that PTR record returns, as long as it exists *where remote systems will look for it*.
You need to arrange with whoever hosts reverse DNS for 65.175.184.* (184.175.65.in-addr.arpa domain) to insert a PTR record for 129, or delegate 129 to another server where you can arrange this.
In most cases, it won't matter what host name that PTR record returns, as long as it exists *where remote systems will look for it*.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
PennGwyn
Thanks PennGwyn - I can see the immediate need for Reverse DNS. I'm trying however to understand the need for an MX record.
The mail will not return back to my domain, by design it all goes across an SMTP gateway at the corporate headquarters back across the frame to our local exchange server.
Thanks PennGwyn - I can see the immediate need for Reverse DNS. I'm trying however to understand the need for an MX record.
The mail will not return back to my domain, by design it all goes across an SMTP gateway at the corporate headquarters back across the frame to our local exchange server.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Of course, you could always just setup a VPN and have smith.com route some of their address space to you over the VPN, which should eliminate all of these problems.
Cheers,
-Jon
Cheers,
-Jon
ASKER
The--Captain
You are right an MX record does already exist for the smith.com domain, so in my instance the MX record is not necessary. I definitely need the reverse dns association on my domain. Thanks for the confirmation.
Mazaraat
The domain at my company is the smithhst.com. That domain, at this time does not support an email server. The smith.com is registered by corporate headquarters and is the domain for our internal exchange servers spread out across the United States and Canada.
The MX record is already setup for the smith.com domain.
However, could you please clarify what you mean by your statement "anytime they try to lookup who owns the smith.com domain they will get the wrong DNS information. If you do own the smith.com domain I agree with the above posts, that you need to coordinate with your ISP on creating the proper DNS entries."
If the email recipent requires reverse dns, then I've to setup reverse dns or the email will bounce.
I appreciate your input, I just want to better understand why you think I may encounter a problem. You may have a valid point.
Thanks for the help.
You are right an MX record does already exist for the smith.com domain, so in my instance the MX record is not necessary. I definitely need the reverse dns association on my domain. Thanks for the confirmation.
Mazaraat
The domain at my company is the smithhst.com. That domain, at this time does not support an email server. The smith.com is registered by corporate headquarters and is the domain for our internal exchange servers spread out across the United States and Canada.
The MX record is already setup for the smith.com domain.
However, could you please clarify what you mean by your statement "anytime they try to lookup who owns the smith.com domain they will get the wrong DNS information. If you do own the smith.com domain I agree with the above posts, that you need to coordinate with your ISP on creating the proper DNS entries."
If the email recipent requires reverse dns, then I've to setup reverse dns or the email will bounce.
I appreciate your input, I just want to better understand why you think I may encounter a problem. You may have a valid point.
Thanks for the help.
ASKER
The-Captain
I was reading your following statements:
Your statement: to their in-addr.arpa zonefile (it won't help to setup DNS locally, unless your ISP is willing to delegate authority for the proper in-addr.arpa zone, or subset thereof).
- The ISP currently provides Primary DNS. Give me some examples of why I might want setup DNS locally outside my firewall. At the moment I use the FatPipe to advertise our ftp servers on the DMZ.
I do have an internal DNS server inside our network.
Your statement: Also, I'd make sure that client1.smith.hst.com resolves to 65.175.184.129 - some mailservers check the PTR and A records to be sure that they match.
_ As I mentioned above .129 is actually the outside interface of our FatPipe. I wonder if it would be best to setup a seperate public ip, on the pix, for the email server and pointing it back toward the inside exchange server. Actually this might only be required if I was going to setup an MX record. Currently if an email recipient does not require reverse dns then we've no problem recieving their email.
I was reading your following statements:
Your statement: to their in-addr.arpa zonefile (it won't help to setup DNS locally, unless your ISP is willing to delegate authority for the proper in-addr.arpa zone, or subset thereof).
- The ISP currently provides Primary DNS. Give me some examples of why I might want setup DNS locally outside my firewall. At the moment I use the FatPipe to advertise our ftp servers on the DMZ.
I do have an internal DNS server inside our network.
Your statement: Also, I'd make sure that client1.smith.hst.com resolves to 65.175.184.129 - some mailservers check the PTR and A records to be sure that they match.
_ As I mentioned above .129 is actually the outside interface of our FatPipe. I wonder if it would be best to setup a seperate public ip, on the pix, for the email server and pointing it back toward the inside exchange server. Actually this might only be required if I was going to setup an MX record. Currently if an email recipient does not require reverse dns then we've no problem recieving their email.
You clarified my question =) I wasn't sure what domains you had registered, and I agree with penn and The-Captain, have the ISP make that entry. As a side note, where are your MX records pointing?
OK, I think I finally understand your problem, and your config completely - may I rephrase?
You have a central office with it's own connection(s), and branch offices with their own connections. The central office provides an inbound SMTP server which receives mail for smith.com - the MX is obviously correct since inbound mail for smith.com works great. Each branch is responsible for it's own outbound SMTP , and each branch has it's own registered domain (not smith.com) for whatever services it might want to host locally. One of your branches has no (or incorrect) reverse DNS, and outbound SMTP delivery is failing because of this.
Is this correct?
In any case, I find this new statement confusing:
>Currently if an email recipient does not
>require reverse dns then we've no problem
>recieving their email
Did you mean to say "sending them email"? Otherwise, I'm not sure I follow you...
>The ISP currently provides Primary DNS. Give me
>some examples of why I might want setup DNS
>locally outside my firewall.
You generally wouldn't, unless you are dissatisfied with the response time of your ISP regarding DNS additions/updates (and in that case you'd run it in a DMZ, not on your external connection).
>_ As I mentioned above .129 is actually the
>outside interface of our FatPipe. I wonder if
>it would be best to setup a seperate public
>ip, on the pix, for the email server and
>pointing it back toward the inside exchange
>server
I don't think that's necessary - just make sure you have properly matching forward and reverse DNS entries for your primary IP (.129) that use smithhst.com, and your mail will still reflect smith.com if you configure your mail client properly as I previously mentioned.
>As a side note, where are your MX records
>pointing?
-Mazaraat,
Unless we're talking about an inbound mail problem (and I don't think we are), can you explain how that info is relevant?
Cheers,
-Jon
You have a central office with it's own connection(s), and branch offices with their own connections. The central office provides an inbound SMTP server which receives mail for smith.com - the MX is obviously correct since inbound mail for smith.com works great. Each branch is responsible for it's own outbound SMTP , and each branch has it's own registered domain (not smith.com) for whatever services it might want to host locally. One of your branches has no (or incorrect) reverse DNS, and outbound SMTP delivery is failing because of this.
Is this correct?
In any case, I find this new statement confusing:
>Currently if an email recipient does not
>require reverse dns then we've no problem
>recieving their email
Did you mean to say "sending them email"? Otherwise, I'm not sure I follow you...
>The ISP currently provides Primary DNS. Give me
>some examples of why I might want setup DNS
>locally outside my firewall.
You generally wouldn't, unless you are dissatisfied with the response time of your ISP regarding DNS additions/updates (and in that case you'd run it in a DMZ, not on your external connection).
>_ As I mentioned above .129 is actually the
>outside interface of our FatPipe. I wonder if
>it would be best to setup a seperate public
>ip, on the pix, for the email server and
>pointing it back toward the inside exchange
>server
I don't think that's necessary - just make sure you have properly matching forward and reverse DNS entries for your primary IP (.129) that use smithhst.com, and your mail will still reflect smith.com if you configure your mail client properly as I previously mentioned.
>As a side note, where are your MX records
>pointing?
-Mazaraat,
Unless we're talking about an inbound mail problem (and I don't think we are), can you explain how that info is relevant?
Cheers,
-Jon
ASKER
I meant to give 250 points to The--Captain and 100 to Mazaraat. Can this be changed?
Voila!
Cheers,
-Jon
Your friendly neighboorhood EE Networking PE (One of them, anyway)...
Cheers,
-Jon
Your friendly neighboorhood EE Networking PE (One of them, anyway)...
http://support.microsoft.com/default.aspx?scid=kb;EN-US;297412
you have to create a ptr record for your exchange server in the reverse-DNS zone for your 65.175.184-in-addr.arpa zone (assuming this is the Class A address with standard subnet mask). These changes will be handled by your ISP. you need to coordinate with your ISP to make the changes.