Pix v6.3(1) fixup protocol dns

I am trying to increase the maximum-length by using this command:
fixup protocol dns maximum-length 1024

This is being done because it seems that mail is not being delivered to aol with the current default 512 setting.

Getting error:  bad protocol dns

Thanks,

Aaron Vest
aaronvestAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nodiscoCommented:
Hi aaronvest
Can you upgrade your flash image - there is a very similar issue to yours in the PAQ database remedied by Lrmoore.  Have a look at :

http://www.experts-exchange.com/Security/Firewalls/Q_21168915.html

You upgrade your flash, remove the old fixup protocol dns statement and add the new one.

If you require any help with upgrading your image, post and I will help you through it.

Tim HolmanCommented:
512 characters should be more than enough - tim_holman@hotmail.com is a typical email address, only 22 characters.  512 characters is overkill.  I think your problem must be elsewhere.
It is far more likely your domain is blacklisted.
What happens if you go to a command prompt and type -

telnet mailin-01.mx.aol.com 25

You should get a response.

Also use www.dnsreport.com to help confirm your DNS setup.
aaronvestAuthor Commented:
I am whitelisted with aol.
This is what I get when i telnet from the mail server.

220-rly-ya05.mx.aol.com ESMTP mail_relay_in-ya5.7; Tue, 05 Jul 2005 12:49:46 -04
00
220-America Online (AOL) and its affiliated companies do not
220-     authorize the use of its proprietary computers and computer
220-     networks to accept, transmit, or distribute unsolicited bulk
220-     e-mail sent from the internet.  Effective immediately:  AOL
220-     may no longer accept connections from IP addresses which
220      have no reverse-DNS (PTR record) assigned.
Build an E-Commerce Site with Angular 5

Learn how to build an E-Commerce site with Angular 5, a JavaScript framework used by developers to build web, desktop, and mobile applications.

aaronvestAuthor Commented:
After checking dnsreport.com I added an SPF record but still unable to send to aol.

Thank you for your help.
aaronvestAuthor Commented:
This was not a problem until the mail server crashed and I rebuilt it on a win2k3 machine instead of the previous win2k
decoleurCommented:
actually this is a reverse pointer issue, spf is for hotmail.

check to see if the owner of your IP space has set up a reverse DNS pointer or PTR record for your mail server using the tool referenced off of this page http://postmaster.info.aol.com/errors/421dnsnr.html

or you can get it from here : http://postmaster.info.aol.com/tools/rdns.html

if it fails you have to setup your PTR record...

HTH

-t
aaronvestAuthor Commented:
I got a successful message when using the rdns tool.



decoleurCommented:
that is very good, so now we know that you have a valid mx record with its associated SPF and PTR records.

so back to the error... where do you see the error and what error do you see?

are there any associated log entries? and if so what do they contain?

you mentioned that this started as a result of replacing a server, did you just install a newos ontop of the old one, or did you replace the box with a new one?
is the ip address for the new server the asme as the old?

HTH

-t
aaronvestAuthor Commented:
the error is from my mail server saying that delivery failed.

it was a new box with win2k3 already installed. Did new install of IMail then restore of files from tape backup.

IP address is the same
decoleurCommented:
The reason why I am asking is that I dropped on pix in to replace another and had to clear the translations upstream before the router would route to the new mac address associated with the old IP.

HTH

-t
decoleurCommented:
what happens if you try the command "clear xlate" on your pix?
aaronvestAuthor Commented:
I had already done a "clear xlate" but I tried it again anyway. the command was successful but still mail will not deliver to aol.
Tim HolmanCommented:
Could you tell us what's in the NDR (non-delivery report) ?
DNS seems OK, you're not blacklisted, so should be no reason why you can't send.
Can your mail server resolve DNS properly?  Is it pointing to the right DNS servers, and does nslookup  work to resolve AOL's mail servers ?  Their servers will appear if you run aol.com through www.dnsreport.com.
aaronvestAuthor Commented:
Here is the log when the mail tried to send. It acts like it is a revers dns problem but when I check the reverse dns it acts like it is fine. AOL customer service checked the reverse dns also and said it was fine.

07:06 18:50 SMTP-(000010C0) >MAIL FROM:<aaron@email.com>
07:06 18:50 SMTP-(000010C0) 250 OK
07:06 18:50 SMTP-(000010C0) >RCPT To:<email@aol.com>
07:06 18:50 SMTP-(000010C0) 250 OK
07:06 18:50 SMTP-(000010C0) >DATA
07:06 18:50 SMTP-(000010C0) 354 START MAIL INPUT, END WITH "." ON A LINE BY ITSELF
07:06 18:50 SMTP-(000010C0) >.
07:06 18:50 SMTP-(000010C0) 421-:  (DNS:NR)  http://postmaster.info.aol.com/errors/421dnsnr.html
07:06 18:50 SMTP-(000010C0) 421 SERVICE NOT AVAILABLE
07:06 18:50 SMTP-(000010C0) SMTP_DELIV_FAILED
07:06 18:50 SMTP-(000010C0) >QUIT
07:06 18:50 SMTP-(000010C0) 221 SERVICE CLOSING CHANNEL
07:06 18:50 SMTP-(000010C0) Creating message from Postmaster
07:06 18:50 SMTP-(000010C0) finished d:\IMail\spool\Q604504ca00887109.SMD status=2

I can resolve the aol mail servers but no ping. They are probably blocking ping.
decoleurCommented:
I woiuld take this up with AOL, they have been having a bunch of problems with their new config. Our CLEC spent two months fighting the same issue with them...

http://postmaster.info.aol.com/tools/contact.html call the postmaster support and identify your issue, the fast that you get the 421 error and thier rdns tool validates your mail server.

They should be well versed in helping you identify the issue.

HTH

-t

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Tim HolmanCommented:
You should be able to issue all of these commands via 'telnet mailserver 25'.  If you get different results from your mail server as you do to a normal workstation.

MAIL FROM:<aaron@email.com>
RCPT To:<email@aol.com>
DATA
.

There's the possibility that you mail server is not sending mails in an agreeable format to the AOL mail system, so sending from your workstation via telnet could help verify this.

If you're looking to close the question, I feel a points split and grade A would have been fairer here?
aaronvestAuthor Commented:
It turns out that my mail server was sending from the incorrect ip address which did not have an RDNS record.
It is now working.....Thanks for everything from everyone!!!
Tim HolmanCommented:
Didn't the link to www.dnsreport.com confirm this?
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.