• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 17796
  • Last Modified:

how do I setup Reverse DNS?

Hi,

I'm having problems with my mail server and Reverse DNS. Some mail servers are not letting me connect and I think this is due to reverse DNS not being setup correctly.

I have a set of IP addresses, xxx.xxx.xxx.199 points to the gateway and xxx.xxx.xxx.198 points to the mail server. Our A record of mail.DOMAIN.COM.AU (which has IP xxx.xxx.xxx.198) is used as the MX record.

When the mail server connects to another mail server I can see that it shows up as the gateway's IP of xxx.xxx.xxx.199. I have setup the PTR reverse DNS record to be mail.DOMAIN.COM.AU on both IP addresses of xxx.xxx.xxx.199 and xxx.xxx.xxx.198.

I'm still not allowed to connect to mail servers that check reverse DNS though.

Thanks for your help.
0
benenglish4603
Asked:
benenglish4603
  • 6
  • 5
  • 5
2 Solutions
 
dhoffman_98Commented:
Since you haven't shown your real addresses or domain name, I can't see what is in your current records. However, one thing I can tell you is that the problem may only partly be remedied by creating a reverse DNS record. The other part of the problem is getting your reverse lookup to return the same hostname that your mail server is configured to identify itself as.

For example, if your mail server connects to another server and says "helo smtpout.myisp.net" (which would indicate that the mail server's hostname is smtpout.myisp.net) but your reverse DNS shows it as "mail.myisp.net", then you could get rejected by mail servers that cross-check the indicated host name against the reverse DNS.

So if you have a place in your mail server where you can set the configuration of the host name, double check and make sure that you use the same host name for your reverse.
0
 
benenglish4603Author Commented:
Hi,
our domain is schlegel.com.au and the mail server is called mail.schlegel.com.au.

I'll ceck the settings on the mail server for the host name.
0
 
vasil_tonevCommented:
You must contact your ISP for setting a reverse zone!
Just adding PTR records will not work!
Either your ISP must assign a static reverse records for your address space, or setup their DNS as a slave for your IP's.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
benenglish4603Author Commented:
When I try to connect to a mail server that checks reverse DNS I can even get a connection i.e. I dont get to the point of HELO...  It just times out and says connection failed.

*****
telnet mail.ozemail.com.au 25
Connecting To mail.ozemail.com.au...Could not open connection to the host, on port 25: Connect failed
*****

For the ISP setting up the reverse DNS, they told me to set it up myself (which is the problem as most of the time I get the ISP to set it up) They have a DNS web tools page where I can setup reverse DNS.

I have run a check on the IPs in question and they both report reverse DNS has been setup.

0
 
vasil_tonevCommented:
You said:
"When the mail server connects to another mail server I can see that it shows up as the gateway's IP of xxx.xxx.xxx.199."

Is this means, that your gateway is doing some kind of NAT?

You said also:
"I have setup the PTR reverse DNS record to be mail.DOMAIN.COM.AU on both IP addresses of xxx.xxx.xxx.199 and xxx.xxx.xxx.198."

If I've understand you correctly, xxx.xxx.xxx.199 is your gateway? There aren't any mail servers running on it!

BTW: telnet mail.ozemail.com.au 25 works fine for me!
Reverse DNS check is made after the HELO.

It seems to me, that your problem has nothing to do with reverse DNS! Check your router and mail server configuration.
0
 
dhoffman_98Commented:
Sorry Vasil, but that's not true. I have static address assignments and I maintain my own zone. My ISP pulls a secondary from my server and my server is authoritative for my subnet. Don't make generalizations, not all ISPs are the same. However, it looks like this case IS pointing back to the ISP (Telstra.net).

The MX records for schlegel.com.au show that the primary mail exchanger (MX) is mail.schlegel.com.au. That resolves back to 203.53.199.98. But if I try to do a reverse lookup, I get no answer. In fact, I get an error back that shows "Query refused".
It seems (in this case) that the reverse records are being checked at the ISP, but the ISP is refusing to allow reverse lookups.

Further, your mail server is claiming to be a host called "TSSCHLEGEL.Schlegel.local", but that name obviously can't be resolved... This ir probably more of a problem than the reverse pointer issue. When you connect to another mail server, you're saying "Hi I'm TSSCHLEGEL.Schlegel.local and I want to connect to you." And then the remote mail server says "Oh yeah? Well I can't find a host on the Internet called TSSCHLEGEL.Schlegel.local, so bug off!"

For more details about other problems you might be having, check out http://www.dnsstuff.com/tools/dnsreport.ch?domain=schlegel.com.au

0
 
vasil_tonevCommented:
Reverse DNS for mail.schlegel.com.au is working just fine!
Wrong hostname like "TSSCHLEGEL.Schlegel.local" is bad idea.
Mail server will not work with this hostname!

onix@workst:~$ dig -x 203.53.199.98

; <<>> DiG 9.3.4 <<>> -x 203.53.199.98
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15158
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;98.199.53.203.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
98.199.53.203.in-addr.arpa. 86400 IN    PTR     mail.schlegel.com.au.

;; AUTHORITY SECTION:
199.53.203.in-addr.arpa. 86400  IN      NS      dns0.telstra.net.
199.53.203.in-addr.arpa. 86400  IN      NS      dns1.telstra.net.

;; ADDITIONAL SECTION:
dns0.telstra.net.       68058   IN      A       203.50.5.199
dns1.telstra.net.       3834    IN      A       203.50.5.200
0
 
dhoffman_98Commented:
Odd. When I tried it about an hour ago, telstra.net was telling me Query Refused on the reverse lookup queries. Now it's looking correct. But the problem is apparently not the lookup. As I stated earlier, the problem is probably misconfiguration of the MTA.
0
 
benenglish4603Author Commented:
The router is running NAT so instead of showing the connection from 203.53.199.98 (the mail servers ext IP) is shows the connection from 203.53.199.99 (the gateway). We have a number of IP addresses pointing back to the router:

203.53.199.98 we use for the mail server and 203.53.199.99 for the gateway

We can connect to most mail servers fine, just (it seems) not the ones that check reverse DNS like ozemail and AOL. I know that the server is showing the wrong name (TSSCHLEGEL.Schlegel.local), but it doesnt even get that far. All we get is:

telnet mail.ozemail.com.au 25
Connecting To mail.ozemail.com.au...Could not open connection to the host, on port 25: Connect failed

So we dont get to the point of HELO...
0
 
dhoffman_98Commented:
And you may not.

Take a look at the information from the dnsreport site. I got the information about TSSCHLEGEL.SCHLEGEL.LOCAL from that site, and it didn't send a HELO to it. There are other ways of testing to filter out bad (or what LOOKS like bad) mail. If another mail server is doing some other form of testing to look at where the incoming connection is coming from, even before getting to the HELO, then it can reject the connection before even getting that far.
0
 
benenglish4603Author Commented:
Ok, that seems to get a connection now but I'm getting this error when testing from command line:

****
220 outbound.icp-qv1-irony-out2.iinet.net.au ESMTP
helo mail.schlegel.com.au
250 outbound.icp-qv1-irony-out2.iinet.net.au
mail from:ben@schlegel.com.au
530 Authentication required
mail to:timekeep@ozemail.com.au
530 Authentication required
data
530 Authentication required
quit
221 outbound.icp-qv1-irony-out2.iinet.net.au

Connection to host lost.
****

All I seem to get is:
530 Authentication required

Any ideas?
0
 
vasil_tonevCommented:
First of all, to avoid other problems I recommend you to move your mail server on DMZ.
Setup your router with DMZ on IP: 203.53.199.98. This elliminates any possible problems with misconfigured router and etc.
Next make sure, that MX record for your domain points to mail.schlegel.com.au. Reverse entry for mail.schlegel.com.au should point to 203.53.199.98. Give your gateway different hostname. You shouldn't have, as you said, mail.schlegel.com.au back resolving to two IP's!
From above telnet session I see, that your SMTP requires authorization, wich is generally a good idea. You can get authorization with command "auth login". Server asks you for username and password. In most cases your username is your mail address on server.
If you tell me, what kind of SMTP server you are using, I can be more speciffic.
0
 
dhoffman_98Commented:
I'll agree that putting your mail server in a DMZ is a good suggestion, but it has nothing to do with the current problem.

Also, as Vasil_Toney said, the reason you are getting the responses you are seeing is because you connected to an ISP that requires authentication before you can send. Many ISPs will do that for OUTBOUND mail so that their MTA can only be used for outbound mail by their own users.

However, your mail server is the one sending outbound mail, so it shouldn't be connecting to that mail server and failing to authenticate. Even the name of the server you are connecting to suggests that it is to be used for outbound mail, not incoming connections.

According to my query, the mail exchanger for iinet.net.au is called "as-av.iinet.net.au".



0
 
vasil_tonevCommented:
Sorry D. Hoffman, but DMZ has many things to do with a problem!
First of all author said "The router is running NAT so instead of showing the connection from 203.53.199.98 (the mail servers ext IP) is shows the connection from 203.53.199.99 (the gateway)." There is something screwey with this configuration, don't you think? Mail exchanger is back resolving to two IP's and one of them is unaccessible with above config!
To avoid any possible misunderstandings with port forwarding, virtual servers and etc., I strongly suggest, that you move your MTA to DMZ! Another reason to do this is that with many low-end hardware routers this is the only way to have second external IP!
0
 
dhoffman_98Commented:
Vasil, I think you saw me agree with you. Grow up and learn to play nice. No need to get an attitude about it.

The fact that his router is running NAT is irrelevant. I don't run my mail server in the DMZ and it's behind a NAT firewall. My mail server's ip address is 192.168.1.1, but that's not the address you see it coming from... not because it's in a DMZ, but because it's configured properly.

If your purpose here is to argue about this because you are dying to get a few more points, then you are an example of what's wrong with this site. It's not about the points, its about sharing knowledge. So get on the team or get off the site.

0
 
benenglish4603Author Commented:
Thanks for the help guys, problem resolved.
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 6
  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now