Solved

Reverse DNS Entry for Mail Server

Posted on 2006-11-28
15
650 Views
Last Modified: 2012-08-13
When I email Comcast the email bounces back with the following:

Your message did not reach some or all of the intended recipients.
      Subject:  Test
      Sent:     11/27/2006 3:49 PM
The following recipient(s) could not be reached:

      addr...@comcast.net on 11/27/2006 3:49 PM
            There was a SMTP communication problem with the recipient's
email server.  Please contact your system administrator.
            <my.mail.server.net #5.5.0 smtp;521-EHLO/HELO from sender
12.184.137.130 does not map to my.mail.server.net in DNS>

The IP in the NDR is that of my firewall.  What are the options for
pointing the IP/address to the external IP of the mailserver itself?

Also...

The mail appears to come from the correct computer
my.mail.ser...@mydomain.net, but the IP address associated is that of
the firewall gateway address.  I have a block of 30 addresses and the
mailservers are NATted behind the firewall. How would I change the IP that it appears from the FW to the actual server public IP?
 
0
Comment
Question by:meshman8
  • 6
  • 3
  • 3
  • +3
15 Comments
 
LVL 9

Expert Comment

by:robjeeves
ID: 18030255
G'day

This needs to be created by yourself if you manage your own dns namespace or your isp if they look after it for you.  You should be setting the PTR record to match the same IP as the mailservers MX record

Lots of good info found here: http://www.amset.info/exchange/dnsconfig.asp

Hope this helps

Rob
0
 

Author Comment

by:meshman8
ID: 18030299
My domain DNS is at Register.com.   I have an A record for each of the mail servers. They do not offer reverse DNS/PTR records.  The mail comes from my mail server name, but the IP is that of the firewall, which are correct.  I need for the mail to appear to come from the public IP of my mail server, ovbiously different from the firewall.  But won't it always come from the firewall?
0
 
LVL 12

Expert Comment

by:Donnie4572
ID: 18030303
What FW are you using?
You should set a address transform to assign a public address to traffic from your mail server and have your ISP assign a PTR record for that address to resolve to the name of your mailserver.
This is NAT the traffic from inside mailserver to outside universe and use a public subnet as the NAT subnet
0
 

Author Comment

by:meshman8
ID: 18030353
I have a Watchguard FireboxII.  Is a 1 to 1 NAT from the public ip to the lan address.
0
 

Author Comment

by:meshman8
ID: 18030363
The FQDN has an A record the resolves correctly.  The PTR lookup for register.com returns nothing from register.com.
0
 
LVL 16

Expert Comment

by:poweruser32
ID: 18030374
your mail server uses the public ip of the firewall in a vitual way in your case -you are using NAT
all incoming email is forwarded from your firewall to your "real" mail server
are you using relay or what?
0
 
LVL 3

Expert Comment

by:atoth
ID: 18030388
You might be able to get your ISP to create a reverse DNS pointer for your Firewall's external IP - Easynet did that for me in a similsar situation.

Adam
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 
LVL 8

Expert Comment

by:susanzeigler
ID: 18030462
The reverse DNS is not handled by Register.com--they handle your forward DNS (your domain).

Reverse DNS is handled and maintained by the entity that assigned your IPs to you--typically your upstream ISP but in some cases it is upstream from them.

In your case, the IPs seem to be directly assigned from AT&T.

If your mail server has a public IP, then reverse should be done on that one--basically, whatever host name is listed in your domain's MX record is the one you will want reverse mapping for. If you do an nslookup on the host that is shown in your MX records, the IP returned is the one that the reverse DNS needs to match.
0
 

Author Comment

by:meshman8
ID: 18030480
All external incoming traffic on port 25 is forwarded to the internal address of the mailserver.  There is an all to all outgoing rule for port 25.  The NDR simply says that <mail-02.mydomain.net #5.5.0 smtp;521-EHLO/HELO from sender XX.XX.XXX.XXX does not map to mail-02.mydomain.net in DNS>

A PTR record pointing XX.XX.XX.XX(mailserver public IP) to mail-02.mydomain.com would not change the fact that the mail comes from the IP of the firewall XX.XX.XX.YY.
0
 
LVL 8

Expert Comment

by:susanzeigler
ID: 18030517
Bleh, hit enter too fast. AT&T is the one that will need to do the reverse DNS for you, and you will need to contact them to let them know what the entries should be.

Your DNS has two MX records, btw, the lesser-preferred one being the IP of your firewall as given above. Take the host names in your forward DNS (i.e. the A records) and give AT&T those as the hosts for the PTR records.
0
 

Author Comment

by:meshman8
ID: 18030574
The MX records are actually .140 and .141.  The FW is .130.  I will give AT&T a call and see what they say.  It still doesnt change that the mail appears to come from .130 though.
0
 
LVL 12

Expert Comment

by:Donnie4572
ID: 18030626
Doesn't matter.....
If the .130 is the address that your mail comes from then you could have a PTR for your mailservers A record point to .130 and this would solve your problem

As said by  atoth above
"You might be able to get your ISP to create a reverse DNS pointer for your Firewall's external IP"
0
 

Author Comment

by:meshman8
ID: 18030746
I have two mail servers, each having a different public IP address.  I think that I should have the mail appear to come from the respective mailserver public IP first rather than trying to "trick" the reverse DNS.  I do however unserstand what you are saying.  I would then be adding RDNS to two hosts to the same IP though.
0
 
LVL 12

Expert Comment

by:Donnie4572
ID: 18030785
Then you must NAT this on the FW.
0
 
LVL 8

Accepted Solution

by:
susanzeigler earned 250 total points
ID: 18032093
I understand why you are trying to keep it clean and agree that it is a good idea.

That said, it is possible to have the receiving server(s) and the sending server(s) with different IPs.

Keep in mind that the server(s) in your domain's MX record does not have to be the sending server, but the forward and reverse DNS for the sending server (or apparent sending device which in this case may well be the firewall) needs to match or mail will be rejected/discarded by any mail server that does a DNS match test.

In that case, you would need to give a host name to the firewall's IP (i.e. add an A record for just mail.mydomain.com) and have AT&T add the corresponding PTR for that host. All that is being checked in a DNS forward/reverse match check is the physical device initiating the contact--which is this case sounds like it actually is the firewall. And if that is the case, then the .130 is indeed the IP that will need the reverse.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now