[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 546
  • Last Modified:

DNS problems blacklist and such

Hello experts,

I've been struggling with this on and off for quite a while now. In january we were purchased by another company and were converted to be a part of their domain. We have our own domain within their forest.

We were doing just fine until we came across an email address that we kept on getting non-deliverable messages back from. None of our emails go through. This company that I work for is actually two in one, both companies have different mail.domainname.com address but we both go out through one internet connection. We've tried sending emails from email address from both companies (both companies have different @domainname.com addresses).

According to www.dnsstuff.com we are on that fivetensrc blacklist because we have no reverse DNS set up for our outgoing IP (68.x.x.x). Both of our mail.domainname.com addresses have a reverse dns set up to go through our parent company's ip address (65.x.x.x) because our incoming mail goes through their filtering system. But our outgoing mail goes out directly through our outgoing IP. Our ISP and our parents' ISP are different. I tried talking to a couple people and what I understand is that if i change our mail.domainname.com's reverse DNS to our outgoing IP (68.x.x.x) then we will resolve that blacklist issue but we won't be going through our parent company's spam filter (I want our incoming email to go through their filter) or their exchange server (They want us to go through their server for incoming mail so that they can watch and filter things etc).

The people in the DNS department of my ISP seem to think that you can't set up one ip address to have a reverse DNS to multiple domain names. Which doesn't make sense because the reverse dns of all 3 of our mail servers domain names - our two and our parents one all resolve to the same address (65.x.x.x). Also, they say that they can't set up one IP to reverse to multiple domain names - even though both of our domains are going out the same connection.

Any suggestions?
Oh, by the way, we're running 1 domain controller thats on server 2003, 1 exchange server - exchange 2003
our parent company im not sure what all they have but im certain they are using exchange 2003 and server 2003
0
ciphron
Asked:
ciphron
  • 6
  • 4
  • 2
  • +1
1 Solution
 
giltjrCommented:
You have two SMTP servers.  One for outgoing and one for incoming.

You should have a MX record for "domain.com".  The MX record should point to "incoming.domina.com" and you should have a PTR record for "incoming.domain.com" that points to its IP address.

Now you also have a SMTP server that is "outgoing.domain.com", which should have a PTR record that points to its IP address.

If your outgoing SMTP server handles mutiple outbound domains, then you need a PTR record that has mutliple hosts names, one for each domain.
0
 
ts4673Commented:
You absolutely can have mail go out 1 IP and in another, the public MX record controls the inbound and you can send out of any IP you want as long as that IP has correct forward and reverse DNS the domain names shouldn't matter as long as the outbound IP(s) are correctly DNS on ALL DNS servers primary, secondary, etc.
You also can have more than one reverse IP entry per FQDN, but you don't need this.

the blacklist FIVETENIGNORE has several ISP's that they blacklist because they just don't like them (like abovenet above.net) if this is the case for you they will NOT delist you no matter what you do.

 
0
 
scrathcyboyCommented:
If your IP range is being blacklisted, it has nothing to do with DNS servers or any setup inhouse.

This has happened to our clients network too, and if there is ANY blacklisted site on the same CLASS "C" network IP address as any ONE of your IP domains, you will be automatically blacklisted by the companies doing this.

You have to make an appeal to them by email that you are NOT a email SPAM site, and the IP conincidence is JUST mere coincidence.  You have to give them DETAILED IP information.  Once they check it out and it looks good, you will be UN-blacklisted in about 1 week.  Get on it now.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
giltjrCommented:
scrathcyboy:  What blacklists use a full class C instead of indvidual addresses?  My company has been blacklisted a couple times.  All we did was change the IP address of our outbound SMTP server, we only have a /26, not a full /24. Most of the blacklists I have seen block based on indvidual IP addresses, not a whole subnet.

I am not sure that you are blacklisted.  Some SMTP server are configured, on purpose, not to accept e-mail if sending SMTP server does not have a PRT record or the PTR record does not reslove to a FQDN that is within the domain that HELO (EHLO) command used.  That is if host 10.10.10.1 connects to me and says HELO myd1.com and there is no PTR record or the PTR record resloves to nobody.sssss.com, then the e-mail will be rejected.  You need to setup a PTR record for the sending (your outbound) SMTP server that has a FDQN for a host within the same domain that the SMTP server uses to say "HELO" with.
0
 
ciphronAuthor Commented:
So let me get this straight,
I need to set up an MX record on both of my mail.domainname.com domains that points to the parent company which recieves our email, then a PTR record for my outgoing IP address to point to both mail.domainname.com domains?
0
 
giltjrCommented:
Half right.

You need a MX record for every domain name that people use to send e-mail to you.  If you have two domains, then you need to MX records.  Both MX records can point to the same A record.

     MX   olddomain.com   --> mail.domain.com
     MX   newdomain.com --> mail.domain.com
     A  mail.domain.com --> 10.10.10.1

Now you need a PTR record for your outbound e-mail server. The FDQN that your PTR record points to must be in the domain that your outbound e-mail server says "HELO" with.  If your outbound e-mail server says HELO olddomain.com then you need:

     PTR 10.10.10.100 --> out.olddomain.com

If it says HELO newdomain.com then you need:

     PTR 10.10.10.100 --> out.newdomain.com

If it can do both HELO olddomain.com and newdomain.com, then you need:

     PTR 10.10.10.100 --> out.olddomain.com & --> out.newdomain.com

0
 
ts4673Commented:
P.S.

Only the owner of the PUBLIC IP addresses that you use (your ISP) can do the reverse (PTR) delegation, also ALL entries have to be made on the public DNS servers for the domains, the ones that are listed with the domain registrar(s) like network solutions, go daddy, etc.
0
 
ciphronAuthor Commented:
How do I do a HELO command? I thought you had to telnet into the mailserver at port 25 but I can't connect to any of our 3 addresses. Is there any other way to do this?

But when I figure this out, say that both of our domainnames respond to a helo command...and lets say our parent company's mail server A record is 1.1.1.1. Also, lets say my outgoing ip would  be 2.2.2.2.

I need to set up MX records like this...
mail.firstdomain.com -> mail.parentdomain.com (1.1.1.1)
mail.seconddomain.com -> mail.parentdomain.com (1.1.1.1)

then PTR records like this...
2.2.2.2 -> mail.firstdomain.com
mail.firstdomain.com -> mail.seconddomain.com

would this be correct?
0
 
giltjrCommented:
The first part is correct.

The second part should be more like:

2.2.2.2 -> mail.firstdomain.com
2.2.2.2 -> mail.seconddomain.com


You would need to know what domain name(s) your outbound e-mail server is configured to use for sending e-mail out.  Your best bet may be to run a packet trace to see what domain name it is using on it HELO command.  You can't telnet to your SMTP server and see what HELO command it issues.  SMTP servers issue this command when the connect to another SMTP server to send e-mail out, not when they are receiving e-mail.
0
 
ciphronAuthor Commented:
alright, and just how exactly would I set up a packet trace on my email?
0
 
giltjrCommented:
You either need to install packet sniffing software on the SMTP server itself, or someplace where you can capture the data stream.  

You may be able to look at the configuration of thw SMTP software and the software's configuration guide to see what it is configured for.
0
 
ciphronAuthor Commented:
So what should I put for A records of the mail.firstdomain.com and mail.seconddomain.com?
0
 
giltjrCommented:
You need to put in the IP address that they need to reslove it.  If they are the same host, then you could put a A record for one (mail.firstdomain.com) and then for mail.seconddomain.com create a CNAME that points to mail.firstdomain.com.  That way if the IP address for mail.firstdomain.com ever changes, you only have to change one A record.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 6
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now