meshman8
asked on
Reverse DNS Entry for Mail Server
When I email Comcast the email bounces back with the following:
Your message did not reach some or all of the intended recipients.
Subject: Test
Sent: 11/27/2006 3:49 PM
The following recipient(s) could not be reached:
addr...@comcast.net on 11/27/2006 3:49 PM
There was a SMTP communication problem with the recipient's
email server. Please contact your system administrator.
<my.mail.server.net #5.5.0 smtp;521-EHLO/HELO from sender
12.184.137.130 does not map to my.mail.server.net in DNS>
The IP in the NDR is that of my firewall. What are the options for
pointing the IP/address to the external IP of the mailserver itself?
Also...
The mail appears to come from the correct computer
my.mail.ser...@mydomain.ne t, but the IP address associated is that of
the firewall gateway address. I have a block of 30 addresses and the
mailservers are NATted behind the firewall. How would I change the IP that it appears from the FW to the actual server public IP?
Your message did not reach some or all of the intended recipients.
Subject: Test
Sent: 11/27/2006 3:49 PM
The following recipient(s) could not be reached:
addr...@comcast.net on 11/27/2006 3:49 PM
There was a SMTP communication problem with the recipient's
email server. Please contact your system administrator.
<my.mail.server.net #5.5.0 smtp;521-EHLO/HELO from sender
12.184.137.130 does not map to my.mail.server.net in DNS>
The IP in the NDR is that of my firewall. What are the options for
pointing the IP/address to the external IP of the mailserver itself?
Also...
The mail appears to come from the correct computer
my.mail.ser...@mydomain.ne
the firewall gateway address. I have a block of 30 addresses and the
mailservers are NATted behind the firewall. How would I change the IP that it appears from the FW to the actual server public IP?
ASKER
My domain DNS is at Register.com. I have an A record for each of the mail servers. They do not offer reverse DNS/PTR records. The mail comes from my mail server name, but the IP is that of the firewall, which are correct. I need for the mail to appear to come from the public IP of my mail server, ovbiously different from the firewall. But won't it always come from the firewall?
What FW are you using?
You should set a address transform to assign a public address to traffic from your mail server and have your ISP assign a PTR record for that address to resolve to the name of your mailserver.
This is NAT the traffic from inside mailserver to outside universe and use a public subnet as the NAT subnet
You should set a address transform to assign a public address to traffic from your mail server and have your ISP assign a PTR record for that address to resolve to the name of your mailserver.
This is NAT the traffic from inside mailserver to outside universe and use a public subnet as the NAT subnet
ASKER
I have a Watchguard FireboxII. Is a 1 to 1 NAT from the public ip to the lan address.
ASKER
The FQDN has an A record the resolves correctly. The PTR lookup for register.com returns nothing from register.com.
your mail server uses the public ip of the firewall in a vitual way in your case -you are using NAT
all incoming email is forwarded from your firewall to your "real" mail server
are you using relay or what?
all incoming email is forwarded from your firewall to your "real" mail server
are you using relay or what?
You might be able to get your ISP to create a reverse DNS pointer for your Firewall's external IP - Easynet did that for me in a similsar situation.
Adam
Adam
The reverse DNS is not handled by Register.com--they handle your forward DNS (your domain).
Reverse DNS is handled and maintained by the entity that assigned your IPs to you--typically your upstream ISP but in some cases it is upstream from them.
In your case, the IPs seem to be directly assigned from AT&T.
If your mail server has a public IP, then reverse should be done on that one--basically, whatever host name is listed in your domain's MX record is the one you will want reverse mapping for. If you do an nslookup on the host that is shown in your MX records, the IP returned is the one that the reverse DNS needs to match.
Reverse DNS is handled and maintained by the entity that assigned your IPs to you--typically your upstream ISP but in some cases it is upstream from them.
In your case, the IPs seem to be directly assigned from AT&T.
If your mail server has a public IP, then reverse should be done on that one--basically, whatever host name is listed in your domain's MX record is the one you will want reverse mapping for. If you do an nslookup on the host that is shown in your MX records, the IP returned is the one that the reverse DNS needs to match.
ASKER
All external incoming traffic on port 25 is forwarded to the internal address of the mailserver. There is an all to all outgoing rule for port 25. The NDR simply says that <mail-02.mydomain.net #5.5.0 smtp;521-EHLO/HELO from sender XX.XX.XXX.XXX does not map to mail-02.mydomain.net in DNS>
A PTR record pointing XX.XX.XX.XX(mailserver public IP) to mail-02.mydomain.com would not change the fact that the mail comes from the IP of the firewall XX.XX.XX.YY.
A PTR record pointing XX.XX.XX.XX(mailserver public IP) to mail-02.mydomain.com would not change the fact that the mail comes from the IP of the firewall XX.XX.XX.YY.
Bleh, hit enter too fast. AT&T is the one that will need to do the reverse DNS for you, and you will need to contact them to let them know what the entries should be.
Your DNS has two MX records, btw, the lesser-preferred one being the IP of your firewall as given above. Take the host names in your forward DNS (i.e. the A records) and give AT&T those as the hosts for the PTR records.
Your DNS has two MX records, btw, the lesser-preferred one being the IP of your firewall as given above. Take the host names in your forward DNS (i.e. the A records) and give AT&T those as the hosts for the PTR records.
ASKER
The MX records are actually .140 and .141. The FW is .130. I will give AT&T a call and see what they say. It still doesnt change that the mail appears to come from .130 though.
Doesn't matter.....
If the .130 is the address that your mail comes from then you could have a PTR for your mailservers A record point to .130 and this would solve your problem
As said by atoth above
"You might be able to get your ISP to create a reverse DNS pointer for your Firewall's external IP"
If the .130 is the address that your mail comes from then you could have a PTR for your mailservers A record point to .130 and this would solve your problem
As said by atoth above
"You might be able to get your ISP to create a reverse DNS pointer for your Firewall's external IP"
ASKER
I have two mail servers, each having a different public IP address. I think that I should have the mail appear to come from the respective mailserver public IP first rather than trying to "trick" the reverse DNS. I do however unserstand what you are saying. I would then be adding RDNS to two hosts to the same IP though.
Then you must NAT this on the FW.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This needs to be created by yourself if you manage your own dns namespace or your isp if they look after it for you. You should be setting the PTR record to match the same IP as the mailservers MX record
Lots of good info found here: http://www.amset.info/exchange/dnsconfig.asp
Hope this helps
Rob