Solved

Reverse DNS Entry for Mail Server

Posted on 2006-11-28
15
637 Views
Last Modified: 2012-08-13
When I email Comcast the email bounces back with the following:

Your message did not reach some or all of the intended recipients.
      Subject:  Test
      Sent:     11/27/2006 3:49 PM
The following recipient(s) could not be reached:

      addr...@comcast.net on 11/27/2006 3:49 PM
            There was a SMTP communication problem with the recipient's
email server.  Please contact your system administrator.
            <my.mail.server.net #5.5.0 smtp;521-EHLO/HELO from sender
12.184.137.130 does not map to my.mail.server.net in DNS>

The IP in the NDR is that of my firewall.  What are the options for
pointing the IP/address to the external IP of the mailserver itself?

Also...

The mail appears to come from the correct computer
my.mail.ser...@mydomain.net, but the IP address associated is that of
the firewall gateway address.  I have a block of 30 addresses and the
mailservers are NATted behind the firewall. How would I change the IP that it appears from the FW to the actual server public IP?
 
0
Comment
Question by:meshman8
  • 6
  • 3
  • 3
  • +3
15 Comments
 
LVL 9

Expert Comment

by:robjeeves
ID: 18030255
G'day

This needs to be created by yourself if you manage your own dns namespace or your isp if they look after it for you.  You should be setting the PTR record to match the same IP as the mailservers MX record

Lots of good info found here: http://www.amset.info/exchange/dnsconfig.asp

Hope this helps

Rob
0
 

Author Comment

by:meshman8
ID: 18030299
My domain DNS is at Register.com.   I have an A record for each of the mail servers. They do not offer reverse DNS/PTR records.  The mail comes from my mail server name, but the IP is that of the firewall, which are correct.  I need for the mail to appear to come from the public IP of my mail server, ovbiously different from the firewall.  But won't it always come from the firewall?
0
 
LVL 12

Expert Comment

by:Donnie4572
ID: 18030303
What FW are you using?
You should set a address transform to assign a public address to traffic from your mail server and have your ISP assign a PTR record for that address to resolve to the name of your mailserver.
This is NAT the traffic from inside mailserver to outside universe and use a public subnet as the NAT subnet
0
 

Author Comment

by:meshman8
ID: 18030353
I have a Watchguard FireboxII.  Is a 1 to 1 NAT from the public ip to the lan address.
0
 

Author Comment

by:meshman8
ID: 18030363
The FQDN has an A record the resolves correctly.  The PTR lookup for register.com returns nothing from register.com.
0
 
LVL 16

Expert Comment

by:poweruser32
ID: 18030374
your mail server uses the public ip of the firewall in a vitual way in your case -you are using NAT
all incoming email is forwarded from your firewall to your "real" mail server
are you using relay or what?
0
 
LVL 3

Expert Comment

by:atoth
ID: 18030388
You might be able to get your ISP to create a reverse DNS pointer for your Firewall's external IP - Easynet did that for me in a similsar situation.

Adam
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 8

Expert Comment

by:susanzeigler
ID: 18030462
The reverse DNS is not handled by Register.com--they handle your forward DNS (your domain).

Reverse DNS is handled and maintained by the entity that assigned your IPs to you--typically your upstream ISP but in some cases it is upstream from them.

In your case, the IPs seem to be directly assigned from AT&T.

If your mail server has a public IP, then reverse should be done on that one--basically, whatever host name is listed in your domain's MX record is the one you will want reverse mapping for. If you do an nslookup on the host that is shown in your MX records, the IP returned is the one that the reverse DNS needs to match.
0
 

Author Comment

by:meshman8
ID: 18030480
All external incoming traffic on port 25 is forwarded to the internal address of the mailserver.  There is an all to all outgoing rule for port 25.  The NDR simply says that <mail-02.mydomain.net #5.5.0 smtp;521-EHLO/HELO from sender XX.XX.XXX.XXX does not map to mail-02.mydomain.net in DNS>

A PTR record pointing XX.XX.XX.XX(mailserver public IP) to mail-02.mydomain.com would not change the fact that the mail comes from the IP of the firewall XX.XX.XX.YY.
0
 
LVL 8

Expert Comment

by:susanzeigler
ID: 18030517
Bleh, hit enter too fast. AT&T is the one that will need to do the reverse DNS for you, and you will need to contact them to let them know what the entries should be.

Your DNS has two MX records, btw, the lesser-preferred one being the IP of your firewall as given above. Take the host names in your forward DNS (i.e. the A records) and give AT&T those as the hosts for the PTR records.
0
 

Author Comment

by:meshman8
ID: 18030574
The MX records are actually .140 and .141.  The FW is .130.  I will give AT&T a call and see what they say.  It still doesnt change that the mail appears to come from .130 though.
0
 
LVL 12

Expert Comment

by:Donnie4572
ID: 18030626
Doesn't matter.....
If the .130 is the address that your mail comes from then you could have a PTR for your mailservers A record point to .130 and this would solve your problem

As said by  atoth above
"You might be able to get your ISP to create a reverse DNS pointer for your Firewall's external IP"
0
 

Author Comment

by:meshman8
ID: 18030746
I have two mail servers, each having a different public IP address.  I think that I should have the mail appear to come from the respective mailserver public IP first rather than trying to "trick" the reverse DNS.  I do however unserstand what you are saying.  I would then be adding RDNS to two hosts to the same IP though.
0
 
LVL 12

Expert Comment

by:Donnie4572
ID: 18030785
Then you must NAT this on the FW.
0
 
LVL 8

Accepted Solution

by:
susanzeigler earned 250 total points
ID: 18032093
I understand why you are trying to keep it clean and agree that it is a good idea.

That said, it is possible to have the receiving server(s) and the sending server(s) with different IPs.

Keep in mind that the server(s) in your domain's MX record does not have to be the sending server, but the forward and reverse DNS for the sending server (or apparent sending device which in this case may well be the firewall) needs to match or mail will be rejected/discarded by any mail server that does a DNS match test.

In that case, you would need to give a host name to the firewall's IP (i.e. add an A record for just mail.mydomain.com) and have AT&T add the corresponding PTR for that host. All that is being checked in a DNS forward/reverse match check is the physical device initiating the contact--which is this case sounds like it actually is the firewall. And if that is the case, then the .130 is indeed the IP that will need the reverse.
0

Featured Post

Don't lose your head updating email signatures!

Do your end users still have the wrong email signature? Do email signature updates bore you or fill you with a sense of dread? You can make this a whole lot easier on yourself by trusting an Exclaimer email signature management solution. Over 50 million users do...so should you!

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now