how do I setup Reverse DNS?
Hi,
I'm having problems with my mail server and Reverse DNS. Some mail servers are not letting me connect and I think this is due to reverse DNS not being setup correctly.
I have a set of IP addresses, xxx.xxx.xxx.199 points to the gateway and xxx.xxx.xxx.198 points to the mail server. Our A record of mail.DOMAIN.COM.AU (which has IP xxx.xxx.xxx.198) is used as the MX record.
When the mail server connects to another mail server I can see that it shows up as the gateway's IP of xxx.xxx.xxx.199. I have setup the PTR reverse DNS record to be mail.DOMAIN.COM.AU on both IP addresses of xxx.xxx.xxx.199 and xxx.xxx.xxx.198.
I'm still not allowed to connect to mail servers that check reverse DNS though.
Thanks for your help.
I'm having problems with my mail server and Reverse DNS. Some mail servers are not letting me connect and I think this is due to reverse DNS not being setup correctly.
I have a set of IP addresses, xxx.xxx.xxx.199 points to the gateway and xxx.xxx.xxx.198 points to the mail server. Our A record of mail.DOMAIN.COM.AU (which has IP xxx.xxx.xxx.198) is used as the MX record.
When the mail server connects to another mail server I can see that it shows up as the gateway's IP of xxx.xxx.xxx.199. I have setup the PTR reverse DNS record to be mail.DOMAIN.COM.AU on both IP addresses of xxx.xxx.xxx.199 and xxx.xxx.xxx.198.
I'm still not allowed to connect to mail servers that check reverse DNS though.
Thanks for your help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You must contact your ISP for setting a reverse zone!
Just adding PTR records will not work!
Either your ISP must assign a static reverse records for your address space, or setup their DNS as a slave for your IP's.
Just adding PTR records will not work!
Either your ISP must assign a static reverse records for your address space, or setup their DNS as a slave for your IP's.
ASKER
When I try to connect to a mail server that checks reverse DNS I can even get a connection i.e. I dont get to the point of HELO... It just times out and says connection failed.
*****
telnet mail.ozemail.com.au 25
Connecting To mail.ozemail.com.au...Coul
*****
For the ISP setting up the reverse DNS, they told me to set it up myself (which is the problem as most of the time I get the ISP to set it up) They have a DNS web tools page where I can setup reverse DNS.
I have run a check on the IPs in question and they both report reverse DNS has been setup.
*****
telnet mail.ozemail.com.au 25
Connecting To mail.ozemail.com.au...Coul
*****
For the ISP setting up the reverse DNS, they told me to set it up myself (which is the problem as most of the time I get the ISP to set it up) They have a DNS web tools page where I can setup reverse DNS.
I have run a check on the IPs in question and they both report reverse DNS has been setup.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry Vasil, but that's not true. I have static address assignments and I maintain my own zone. My ISP pulls a secondary from my server and my server is authoritative for my subnet. Don't make generalizations, not all ISPs are the same. However, it looks like this case IS pointing back to the ISP (Telstra.net).
The MX records for schlegel.com.au show that the primary mail exchanger (MX) is mail.schlegel.com.au. That resolves back to 203.53.199.98. But if I try to do a reverse lookup, I get no answer. In fact, I get an error back that shows "Query refused".
It seems (in this case) that the reverse records are being checked at the ISP, but the ISP is refusing to allow reverse lookups.
Further, your mail server is claiming to be a host called "TSSCHLEGEL.Schlegel.local
For more details about other problems you might be having, check out http://www.dnsstuff.com/tools/dnsreport.ch?domain=schlegel.com.au
The MX records for schlegel.com.au show that the primary mail exchanger (MX) is mail.schlegel.com.au. That resolves back to 203.53.199.98. But if I try to do a reverse lookup, I get no answer. In fact, I get an error back that shows "Query refused".
It seems (in this case) that the reverse records are being checked at the ISP, but the ISP is refusing to allow reverse lookups.
Further, your mail server is claiming to be a host called "TSSCHLEGEL.Schlegel.local
For more details about other problems you might be having, check out http://www.dnsstuff.com/tools/dnsreport.ch?domain=schlegel.com.au
Reverse DNS for mail.schlegel.com.au is working just fine!
Wrong hostname like "TSSCHLEGEL.Schlegel.local
Mail server will not work with this hostname!
onix@workst:~$ dig -x 203.53.199.98
; <<>> DiG 9.3.4 <<>> -x 203.53.199.98
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15158
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;98.199.53.203.in-addr.arp
;; ANSWER SECTION:
98.199.53.203.in-addr.arpa
;; AUTHORITY SECTION:
199.53.203.in-addr.arpa. 86400 IN NS dns0.telstra.net.
199.53.203.in-addr.arpa. 86400 IN NS dns1.telstra.net.
;; ADDITIONAL SECTION:
dns0.telstra.net. 68058 IN A 203.50.5.199
dns1.telstra.net. 3834 IN A 203.50.5.200
Wrong hostname like "TSSCHLEGEL.Schlegel.local
Mail server will not work with this hostname!
onix@workst:~$ dig -x 203.53.199.98
; <<>> DiG 9.3.4 <<>> -x 203.53.199.98
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15158
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;98.199.53.203.in-addr.arp
;; ANSWER SECTION:
98.199.53.203.in-addr.arpa
;; AUTHORITY SECTION:
199.53.203.in-addr.arpa. 86400 IN NS dns0.telstra.net.
199.53.203.in-addr.arpa. 86400 IN NS dns1.telstra.net.
;; ADDITIONAL SECTION:
dns0.telstra.net. 68058 IN A 203.50.5.199
dns1.telstra.net. 3834 IN A 203.50.5.200
Odd. When I tried it about an hour ago, telstra.net was telling me Query Refused on the reverse lookup queries. Now it's looking correct. But the problem is apparently not the lookup. As I stated earlier, the problem is probably misconfiguration of the MTA.
ASKER
The router is running NAT so instead of showing the connection from 203.53.199.98 (the mail servers ext IP) is shows the connection from 203.53.199.99 (the gateway). We have a number of IP addresses pointing back to the router:
203.53.199.98 we use for the mail server and 203.53.199.99 for the gateway
We can connect to most mail servers fine, just (it seems) not the ones that check reverse DNS like ozemail and AOL. I know that the server is showing the wrong name (TSSCHLEGEL.Schlegel.local
telnet mail.ozemail.com.au 25
Connecting To mail.ozemail.com.au...Coul
So we dont get to the point of HELO...
203.53.199.98 we use for the mail server and 203.53.199.99 for the gateway
We can connect to most mail servers fine, just (it seems) not the ones that check reverse DNS like ozemail and AOL. I know that the server is showing the wrong name (TSSCHLEGEL.Schlegel.local
telnet mail.ozemail.com.au 25
Connecting To mail.ozemail.com.au...Coul
So we dont get to the point of HELO...
And you may not.
Take a look at the information from the dnsreport site. I got the information about TSSCHLEGEL.SCHLEGEL.LOCAL from that site, and it didn't send a HELO to it. There are other ways of testing to filter out bad (or what LOOKS like bad) mail. If another mail server is doing some other form of testing to look at where the incoming connection is coming from, even before getting to the HELO, then it can reject the connection before even getting that far.
Take a look at the information from the dnsreport site. I got the information about TSSCHLEGEL.SCHLEGEL.LOCAL from that site, and it didn't send a HELO to it. There are other ways of testing to filter out bad (or what LOOKS like bad) mail. If another mail server is doing some other form of testing to look at where the incoming connection is coming from, even before getting to the HELO, then it can reject the connection before even getting that far.
ASKER
Ok, that seems to get a connection now but I'm getting this error when testing from command line:
****
220 outbound.icp-qv1-irony-out
helo mail.schlegel.com.au
250 outbound.icp-qv1-irony-out
mail from:ben@schlegel.com.au
530 Authentication required
mail to:timekeep@ozemail.com.au
530 Authentication required
data
530 Authentication required
quit
221 outbound.icp-qv1-irony-out
Connection to host lost.
****
All I seem to get is:
530 Authentication required
Any ideas?
****
220 outbound.icp-qv1-irony-out
helo mail.schlegel.com.au
250 outbound.icp-qv1-irony-out
mail from:ben@schlegel.com.au
530 Authentication required
mail to:timekeep@ozemail.com.au
530 Authentication required
data
530 Authentication required
quit
221 outbound.icp-qv1-irony-out
Connection to host lost.
****
All I seem to get is:
530 Authentication required
Any ideas?
First of all, to avoid other problems I recommend you to move your mail server on DMZ.
Setup your router with DMZ on IP: 203.53.199.98. This elliminates any possible problems with misconfigured router and etc.
Next make sure, that MX record for your domain points to mail.schlegel.com.au. Reverse entry for mail.schlegel.com.au should point to 203.53.199.98. Give your gateway different hostname. You shouldn't have, as you said, mail.schlegel.com.au back resolving to two IP's!
From above telnet session I see, that your SMTP requires authorization, wich is generally a good idea. You can get authorization with command "auth login". Server asks you for username and password. In most cases your username is your mail address on server.
If you tell me, what kind of SMTP server you are using, I can be more speciffic.
Setup your router with DMZ on IP: 203.53.199.98. This elliminates any possible problems with misconfigured router and etc.
Next make sure, that MX record for your domain points to mail.schlegel.com.au. Reverse entry for mail.schlegel.com.au should point to 203.53.199.98. Give your gateway different hostname. You shouldn't have, as you said, mail.schlegel.com.au back resolving to two IP's!
From above telnet session I see, that your SMTP requires authorization, wich is generally a good idea. You can get authorization with command "auth login". Server asks you for username and password. In most cases your username is your mail address on server.
If you tell me, what kind of SMTP server you are using, I can be more speciffic.
I'll agree that putting your mail server in a DMZ is a good suggestion, but it has nothing to do with the current problem.
Also, as Vasil_Toney said, the reason you are getting the responses you are seeing is because you connected to an ISP that requires authentication before you can send. Many ISPs will do that for OUTBOUND mail so that their MTA can only be used for outbound mail by their own users.
However, your mail server is the one sending outbound mail, so it shouldn't be connecting to that mail server and failing to authenticate. Even the name of the server you are connecting to suggests that it is to be used for outbound mail, not incoming connections.
According to my query, the mail exchanger for iinet.net.au is called "as-av.iinet.net.au".
Also, as Vasil_Toney said, the reason you are getting the responses you are seeing is because you connected to an ISP that requires authentication before you can send. Many ISPs will do that for OUTBOUND mail so that their MTA can only be used for outbound mail by their own users.
However, your mail server is the one sending outbound mail, so it shouldn't be connecting to that mail server and failing to authenticate. Even the name of the server you are connecting to suggests that it is to be used for outbound mail, not incoming connections.
According to my query, the mail exchanger for iinet.net.au is called "as-av.iinet.net.au".
Sorry D. Hoffman, but DMZ has many things to do with a problem!
First of all author said "The router is running NAT so instead of showing the connection from 203.53.199.98 (the mail servers ext IP) is shows the connection from 203.53.199.99 (the gateway)." There is something screwey with this configuration, don't you think? Mail exchanger is back resolving to two IP's and one of them is unaccessible with above config!
To avoid any possible misunderstandings with port forwarding, virtual servers and etc., I strongly suggest, that you move your MTA to DMZ! Another reason to do this is that with many low-end hardware routers this is the only way to have second external IP!
First of all author said "The router is running NAT so instead of showing the connection from 203.53.199.98 (the mail servers ext IP) is shows the connection from 203.53.199.99 (the gateway)." There is something screwey with this configuration, don't you think? Mail exchanger is back resolving to two IP's and one of them is unaccessible with above config!
To avoid any possible misunderstandings with port forwarding, virtual servers and etc., I strongly suggest, that you move your MTA to DMZ! Another reason to do this is that with many low-end hardware routers this is the only way to have second external IP!
Vasil, I think you saw me agree with you. Grow up and learn to play nice. No need to get an attitude about it.
The fact that his router is running NAT is irrelevant. I don't run my mail server in the DMZ and it's behind a NAT firewall. My mail server's ip address is 192.168.1.1, but that's not the address you see it coming from... not because it's in a DMZ, but because it's configured properly.
If your purpose here is to argue about this because you are dying to get a few more points, then you are an example of what's wrong with this site. It's not about the points, its about sharing knowledge. So get on the team or get off the site.
The fact that his router is running NAT is irrelevant. I don't run my mail server in the DMZ and it's behind a NAT firewall. My mail server's ip address is 192.168.1.1, but that's not the address you see it coming from... not because it's in a DMZ, but because it's configured properly.
If your purpose here is to argue about this because you are dying to get a few more points, then you are an example of what's wrong with this site. It's not about the points, its about sharing knowledge. So get on the team or get off the site.
ASKER
Thanks for the help guys, problem resolved.
ASKER
our domain is schlegel.com.au and the mail server is called mail.schlegel.com.au.
I'll ceck the settings on the mail server for the host name.