Reverse DNS Entry for Mail Server

When I email Comcast the email bounces back with the following:

Your message did not reach some or all of the intended recipients.
      Subject:  Test
      Sent:     11/27/2006 3:49 PM
The following recipient(s) could not be reached: on 11/27/2006 3:49 PM
            There was a SMTP communication problem with the recipient's
email server.  Please contact your system administrator.
            < #5.5.0 smtp;521-EHLO/HELO from sender does not map to in DNS>

The IP in the NDR is that of my firewall.  What are the options for
pointing the IP/address to the external IP of the mailserver itself?


The mail appears to come from the correct computer, but the IP address associated is that of
the firewall gateway address.  I have a block of 30 addresses and the
mailservers are NATted behind the firewall. How would I change the IP that it appears from the FW to the actual server public IP?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

susanzeiglerConnect With a Mentor Commented:
I understand why you are trying to keep it clean and agree that it is a good idea.

That said, it is possible to have the receiving server(s) and the sending server(s) with different IPs.

Keep in mind that the server(s) in your domain's MX record does not have to be the sending server, but the forward and reverse DNS for the sending server (or apparent sending device which in this case may well be the firewall) needs to match or mail will be rejected/discarded by any mail server that does a DNS match test.

In that case, you would need to give a host name to the firewall's IP (i.e. add an A record for just and have AT&T add the corresponding PTR for that host. All that is being checked in a DNS forward/reverse match check is the physical device initiating the contact--which is this case sounds like it actually is the firewall. And if that is the case, then the .130 is indeed the IP that will need the reverse.

This needs to be created by yourself if you manage your own dns namespace or your isp if they look after it for you.  You should be setting the PTR record to match the same IP as the mailservers MX record

Lots of good info found here:

Hope this helps

meshman8Author Commented:
My domain DNS is at   I have an A record for each of the mail servers. They do not offer reverse DNS/PTR records.  The mail comes from my mail server name, but the IP is that of the firewall, which are correct.  I need for the mail to appear to come from the public IP of my mail server, ovbiously different from the firewall.  But won't it always come from the firewall?
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

What FW are you using?
You should set a address transform to assign a public address to traffic from your mail server and have your ISP assign a PTR record for that address to resolve to the name of your mailserver.
This is NAT the traffic from inside mailserver to outside universe and use a public subnet as the NAT subnet
meshman8Author Commented:
I have a Watchguard FireboxII.  Is a 1 to 1 NAT from the public ip to the lan address.
meshman8Author Commented:
The FQDN has an A record the resolves correctly.  The PTR lookup for returns nothing from
your mail server uses the public ip of the firewall in a vitual way in your case -you are using NAT
all incoming email is forwarded from your firewall to your "real" mail server
are you using relay or what?
You might be able to get your ISP to create a reverse DNS pointer for your Firewall's external IP - Easynet did that for me in a similsar situation.

The reverse DNS is not handled by handle your forward DNS (your domain).

Reverse DNS is handled and maintained by the entity that assigned your IPs to you--typically your upstream ISP but in some cases it is upstream from them.

In your case, the IPs seem to be directly assigned from AT&T.

If your mail server has a public IP, then reverse should be done on that one--basically, whatever host name is listed in your domain's MX record is the one you will want reverse mapping for. If you do an nslookup on the host that is shown in your MX records, the IP returned is the one that the reverse DNS needs to match.
meshman8Author Commented:
All external incoming traffic on port 25 is forwarded to the internal address of the mailserver.  There is an all to all outgoing rule for port 25.  The NDR simply says that < #5.5.0 smtp;521-EHLO/HELO from sender XX.XX.XXX.XXX does not map to in DNS>

A PTR record pointing XX.XX.XX.XX(mailserver public IP) to would not change the fact that the mail comes from the IP of the firewall XX.XX.XX.YY.
Bleh, hit enter too fast. AT&T is the one that will need to do the reverse DNS for you, and you will need to contact them to let them know what the entries should be.

Your DNS has two MX records, btw, the lesser-preferred one being the IP of your firewall as given above. Take the host names in your forward DNS (i.e. the A records) and give AT&T those as the hosts for the PTR records.
meshman8Author Commented:
The MX records are actually .140 and .141.  The FW is .130.  I will give AT&T a call and see what they say.  It still doesnt change that the mail appears to come from .130 though.
Doesn't matter.....
If the .130 is the address that your mail comes from then you could have a PTR for your mailservers A record point to .130 and this would solve your problem

As said by  atoth above
"You might be able to get your ISP to create a reverse DNS pointer for your Firewall's external IP"
meshman8Author Commented:
I have two mail servers, each having a different public IP address.  I think that I should have the mail appear to come from the respective mailserver public IP first rather than trying to "trick" the reverse DNS.  I do however unserstand what you are saying.  I would then be adding RDNS to two hosts to the same IP though.
Then you must NAT this on the FW.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.