Reverse DNS not working, mail not flowing

On the morning of the July 7th our email stopped flowing to a number of domains, namely aol,cox,comcast,rr,juno and a bunch of others. Basically the error we get in the log is this...

2009-07-09 16:14:49 205.188.155.72 OutboundConnectionResponse SMTPSVC1 GEMINI - 25 - - 220-rly-dg08.mx.aol.com+ESMTP+mail_relay_in-dg08.6;+Thu,+09+Jul+2009+12:14:51+-0400 0 0 83 0 32 SMTP - - -
2009-07-09 16:14:49 205.188.155.72 OutboundConnectionCommand SMTPSVC1 GEMINI - 25 EHLO - mail.libertyhospital.org 0 0 4 0 32 SMTP - - -
2009-07-09 16:14:49 167.206.4.77 OutboundConnectionResponse SMTPSVC1 GEMINI - 25 - - 452+4.2.1+Your+host+66.141.233.241+has+no+DNS+record+.+If+you+are+using+a+firewall+please+configure+DNS+and+try+again+authoritative+host+not+found:+ovacc@optonline.net 0 0 167 0 610 SMTP - - -
2009-07-09 16:14:49 167.206.4.77 OutboundConnectionCommand SMTPSVC1 GEMINI - 25 RSET - - 0 0 4 0 610 SMTP - - -
2009-07-09 16:14:49 205.188.249.91 OutboundConnectionResponse SMTPSVC1 GEMINI - 25 - - 220-rly-de08.mx.aol.com+ESMTP+mail_relay_in-de08.3;+Thu,+09+Jul+2009+12:14:51+-0400 0 0 83 0 93 SMTP - - -
2009-07-09 16:14:49 205.188.249.91 OutboundConnectionCommand SMTPSVC1 GEMINI - 25 EHLO - mail.libertyhospital.org 0 0 4 0 93 SMTP - - -
2009-07-09 16:14:49 205.188.155.72 OutboundConnectionResponse SMTPSVC1 GEMINI - 25 - - 250-rly-dg08.mx.aol.com+peer+name+unknown 0 0 41 0 78 SMTP - - -
2009-07-09 16:14:49 205.188.155.72 OutboundConnectionCommand SMTPSVC1 GEMINI - 25 MAIL - FROM:<Crodick@libertyhospital.org> 0 0 4 0 78 SMTP - - -
2009-07-09 16:14:49 63.138.68.59 smtp.paydaymess.com SMTPSVC1 GEMINI 192.168.223.4 0 RCPT - +TO:<julie.hering@libertyhospital.org> 550 0 0 42 12782 SMTP - - -
2009-07-09 16:14:49 167.206.4.77 OutboundConnectionResponse SMTPSVC1 GEMINI - 25 - - 250+2.5.0+Ok. 0 0 13 0 657 SMTP - - -
2009-07-09 16:14:49 205.188.249.91 OutboundConnectionResponse SMTPSVC1 GEMINI - 25 - - 250-rly-de08.mx.aol.com+peer+name+unknown 0 0 41 0 125 SMTP - - -
2009-07-09 16:14:49 205.188.249.91 OutboundConnectionCommand SMTPSVC1 GEMINI - 25 MAIL - FROM:<LRICHWINE@libertyhospital.org> 0 0 4 0 125 SMTP - - -
2009-07-09 16:14:49 167.206.4.77 OutboundConnectionResponse SMTPSVC1 GEMINI - 25 - - 452+4.2.1+Your+host+66.141.233.241+has+no+DNS+record+.+If+you+are+using+a+firewall+please+configure+DNS+and+try+again+authoritative+host+not+found:+oilmanshoney@optonline.com 0 0 174 0 687 SMTP - - -
2009-07-09 16:14:49 167.206.4.77 OutboundConnectionCommand SMTPSVC1 GEMINI - 25 RSET - - 0 0 4 0 687 SMTP - - -

We have exchange 2003 with a frontend server in the DMZ behind a PIX firewall and an enternal server with all the mailboxes. Email flows in just fine and out to some domains with no problem. When I run a test from mxtoolbox this is what I get

RESULT: mail.libertyhospital.org
Banner: 220 mail.libertyhospital.org Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at Thu, 9 Jul 2009 11:27:15 -0500
Connect Time: 0 seconds - Good
Transaction Time: 12.641 seconds - Not good!
Relay Check: OK - This server is not an open relay.
Rev DNS Check: Reverse DNS FAILED! This is a problem.
GeoCode Info: Geocoding server is unavailable
Session Transcript: HELO please-read-policy.mxtoolbox.com
250 mail.libertyhospital.org Hello [64.20.227.13 [47 ms]
MAIL FROM: <test@mxtoolbox.com>
250 2.1.0 test@mxtoolbox.com....Sender [31 ms]
RCPT TO: <test@mxtoolbox.com>
550 5.7.1 Unable to relay for test@mxtoolbox.c [12516 ms]
 
 
I ran the dnsdiag on our frontend server and it checks out ok. At home I have roadrunner (one of the offending domains) and I am unable to reverse lookup our IP from there but internally and on our public wireless we have it works just fine.

The main thing I am trying to figure out is why would our DNS servers not be replying with the rDNS info. We host our own DNS servers (long story, but SBC kept screwing up the records before). They are both W2K3, one is the primary, one a secondary.

If you need more info let me know.
arosenboomAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:

If the name above is the name of the e-mail server then no public delegation for the IP range exists beneath 141.66.in-addr.arpa which belongs to swbell.net / sbcglobal.net.

Without the delegation there's no way for a system asking for that record to find your servers, assuming those are the ones hosting the reverse lookup zone.

Chris
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NpatangCommented:
Make sure you have the pointer record created in your external DNS......SOme of the domains do loko for the reverse DNS resolution ..
0
arosenboomAuthor Commented:
We do have the PTR record on our DNS. I've checked it, deleted it, recreated it. That doesn't seem to be the problem.

It is name of the server. Last year this time the same thing happened and it took a couple of days for the problem to go away pretty much by itself even though we tried a lot. Could SBC be messing with our domain and IP range. We bought the 66.141.233 from SBC a few years ago (2003). It sounds like they need a pointer for the 233 network to point to our DNS server, is that correct?
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Chris DentPowerShell DeveloperCommented:

> It sounds like they need a pointer for the 233 network to point to our DNS server, is that correct?

They need a delegation, but I think you mean the same thing. They need to create this if you have the /24 from them:

233.141.66.in-addr.arpa. IN NS ns1.you.com.
233.141.66.in-addr.arpa. IN NS ns2.you.com.

If it's classless delegation it's a bit more complex, but it still fails at their name servers.

Chris
0
MesthaCommented:
Where did you look for the reverse DNS?
If you are looking in the DNS server applet on your network, then that is the wrong place. Your ISP has to set the reverse DNS and it is highly unusual for an ISP to delegate control of the IP addresses to a customer.
You need to speak to your ISP and see what they can do for you.

Simon.
0
arosenboomAuthor Commented:
Thanks Chris, we are looking into it. Our guy that usually deals with the SBC is on vacation so I am waiting on an email back from him.

Mestha - Yes I was looking on our DNS server. We control DNS for our domain and IP range, we "own" it. I will be contacting them though since it does sound like they have messed something up with the 233 delegation.

I will let you know more in a while.
0
arosenboomAuthor Commented:
Chris - what did you use to find that data in your first post?
0
Chris DentPowerShell DeveloperCommented:

I use Dig with a nice Windows version of it here:

http://members.shaw.ca/nicholas.fong/dig/

If you follow the instructions to set it up (you can leave resolv.conf blank) you can run this:

dig 241.233.141.66.in-addr.arpa +trace

It shows you exactly where the delegations stop.

Assuming that's the correct IP address of course :)

NsLookup can do it as well, but it's harder to get useful results.

Chris
0
arosenboomAuthor Commented:
We were able to contact SBC, they claimed the rDNS was never even setup for our domain although this had worked in the past. They added the delegation earlier today and all the email is flowing again. Thanks for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.