- Exchange
- DNS
- Windows Server 2003
Warning - Reverse DNS does not match SMTP Banner
Hello experts
I inhertied this network recently and all the sudden i'm getting emails not delivered to some domains " the connection dropped by the remote host"
When i use mxtoolbox.com to check my company SMTP diag, it shows the message below
Not an open relay.
0 seconds - Good on Connection time
0.250 seconds - Good on Transaction time
OK - 65.xxx.xxx.98 resolves to
Warning - Reverse DNS does not match SMTP Banner
Session Transcript:
HELO please-read-policy.mxtoolb
250 server.domain.com Hello [64.xxx.xxx.133] [62 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 supertool@mxtoolbox.com...
RCPT TO: <test@example.com>
550 5.7.1 Unable to relay for test@example.com [62 ms]
QUIT
221 2.0.0 server.domain.com Service closing transmission channel [62 ms]
I read the blog http://demazter.wordpress.com/2010/02/09/exchange-dns-configuration/
and i actually changed my fqdn to mail.domain.org and also created an A record that matched that and an mx record but i still got the same error and the emails dont go from any host in my network. an example of the domain i cant send to is vnab.org
I have 2 domains domain.org and domain2.com but all our emails are @domain.org however all the A hosts are configiured under domain2.com
Please advice me on what to do.
if necessary i can upload an image of the dns in my server if that is not dangerous to my network
Thanks
I inhertied this network recently and all the sudden i'm getting emails not delivered to some domains " the connection dropped by the remote host"
When i use mxtoolbox.com to check my company SMTP diag, it shows the message below
Not an open relay.
0 seconds - Good on Connection time
0.250 seconds - Good on Transaction time
OK - 65.xxx.xxx.98 resolves to
Warning - Reverse DNS does not match SMTP Banner
Session Transcript:
HELO please-read-policy.mxtoolb
250 server.domain.com Hello [64.xxx.xxx.133] [62 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 supertool@mxtoolbox.com...
RCPT TO: <test@example.com>
550 5.7.1 Unable to relay for test@example.com [62 ms]
QUIT
221 2.0.0 server.domain.com Service closing transmission channel [62 ms]
I read the blog http://demazter.wordpress.com/2010/02/09/exchange-dns-configuration/
and i actually changed my fqdn to mail.domain.org and also created an A record that matched that and an mx record but i still got the same error and the emails dont go from any host in my network. an example of the domain i cant send to is vnab.org
I have 2 domains domain.org and domain2.com but all our emails are @domain.org however all the A hosts are configiured under domain2.com
Please advice me on what to do.
if necessary i can upload an image of the dns in my server if that is not dangerous to my network
Thanks
Here's what i think may be the problem:
Your mail server resides behind 65.xxx.xxx.98
Your mail server helo banner says: 250 server.domain.com
The PTR (reverse DNS) for 65.xxx.xxx.98 is domain2.com
domain2.com resolves to 64.xxx.xxx.75 which is probably where your website is hosted?
You don't have a full circle in there.
Since you're sending from 65.xxx.xxx.98, your PTR should resolve to an A record that resolves BACK to 65.xxx.xxx.98. That should also match what's presented by your HELO banner instead of domain2.com.
Change those settings around so they match each other:
1. PTR should be set to a name that resolves back to the IP Address of your mail server.
2. HELO should match that A record as well.
If you set those all consistently, you'll probably be in good shape.
Your mail server resides behind 65.xxx.xxx.98
Your mail server helo banner says: 250 server.domain.com
The PTR (reverse DNS) for 65.xxx.xxx.98 is domain2.com
domain2.com resolves to 64.xxx.xxx.75 which is probably where your website is hosted?
You don't have a full circle in there.
Since you're sending from 65.xxx.xxx.98, your PTR should resolve to an A record that resolves BACK to 65.xxx.xxx.98. That should also match what's presented by your HELO banner instead of domain2.com.
Change those settings around so they match each other:
1. PTR should be set to a name that resolves back to the IP Address of your mail server.
2. HELO should match that A record as well.
If you set those all consistently, you'll probably be in good shape.
Please check demazter's blog article here
http://demazter.wordpress.com/2010/02/09/exchange-dns-configuration/
http://demazter.wordpress.com/2010/02/09/exchange-dns-configuration/
You have set FQDN to mail.domain.org and created an A record on DNS to join your fqdn to your IP
But you have to create ALSO a PTR record for reverse lookup to join your IP to fqdn mail.domain.org (when a host recive an e-mail from a @domain.org user, it will try a reverse lookup and it'd aspcect to resolve mail.domain.org with 64.xxx.xxx.133)
But you have to create ALSO a PTR record for reverse lookup to join your IP to fqdn mail.domain.org (when a host recive an e-mail from a @domain.org user, it will try a reverse lookup and it'd aspcect to resolve mail.domain.org with 64.xxx.xxx.133)
Your sending IP Address of 65.xxx.xxx.98 resolves in Reverse DNS to:
Answer:
65.xxx.xxx.98 PTR record: domain2.com. [TTL 21600s] [A=64.xxx.xxx.75] *ERROR* A record for domain2.com. does not point back to original IP (A record may be cached).
domain2.com resolves to 64.xxx.xxx.75 as identified above.
When I telnet to IP 65.xxx.xxx.98 I see that you are behind a CISCO PIX or ASA and have SMTP FIXUP or ESMTP INSPECTION enabled as the response I get is:
220 **************************
**************************
This is typical behaviour when SMTP FIXUP / INSPECTION is enabled.
Please turn this OFF / Disable it immediately as this will cause you more problems than it fixes.
If your mails server FQDN is configured to send out as mail.domain2.com then you need to change the Reverse DNS record to mail.domain2.com and make sure that mail.domain2.com has an A record in DNS that matches IP 65.xxx.xxx.98.
Alternatively, configure the FQDN on your mail server to be something like outgoing.domain2.com, change your Reverse DNS record to be outgoing.domain2.com and add an a DNS record for outgoing.domain2.com and point it to IP 65.xxx.xxx.98.
Answer:
65.xxx.xxx.98 PTR record: domain2.com. [TTL 21600s] [A=64.xxx.xxx.75] *ERROR* A record for domain2.com. does not point back to original IP (A record may be cached).
domain2.com resolves to 64.xxx.xxx.75 as identified above.
When I telnet to IP 65.xxx.xxx.98 I see that you are behind a CISCO PIX or ASA and have SMTP FIXUP or ESMTP INSPECTION enabled as the response I get is:
220 **************************
**************************
This is typical behaviour when SMTP FIXUP / INSPECTION is enabled.
Please turn this OFF / Disable it immediately as this will cause you more problems than it fixes.
If your mails server FQDN is configured to send out as mail.domain2.com then you need to change the Reverse DNS record to mail.domain2.com and make sure that mail.domain2.com has an A record in DNS that matches IP 65.xxx.xxx.98.
Alternatively, configure the FQDN on your mail server to be something like outgoing.domain2.com, change your Reverse DNS record to be outgoing.domain2.com and add an a DNS record for outgoing.domain2.com and point it to IP 65.xxx.xxx.98.
Genius, Thank you for telling me about obscuring my ip. i will replace the last part of the ip with x.x to make it easier for you to obscure later on.
as i understood from what you said, the reverse points to domain2.com
i went and changed the FQDN to the root domain2.com
i created an A record in dns for domain2.com with ip 65.xxx.xxx.xxx
and i ran the test again on mxtools.com but i got the same error
I would appreciate a step by step solution since i'm not really an expert in exchange Thanks
Not an open relay.
0 seconds - Good on Connection time
0.265 seconds - Good on Transaction time
OK - 65.202.51.98 resolves to
Warning - Reverse DNS does not match SMTP Banner
Session Transcript:
HELO please-read-policy.mxtoolb
250 domain.com Hello [64.xxx.xxx.133] [78 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 supertool@mxtoolbox.com...
RCPT TO: <test@example.com>
550 5.7.1 Unable to relay for test@example.com [78 ms]
QUIT
221 2.0.0 domain2.com Service closing transmission channel [47 ms]
as i understood from what you said, the reverse points to domain2.com
i went and changed the FQDN to the root domain2.com
i created an A record in dns for domain2.com with ip 65.xxx.xxx.xxx
and i ran the test again on mxtools.com but i got the same error
I would appreciate a step by step solution since i'm not really an expert in exchange Thanks
Not an open relay.
0 seconds - Good on Connection time
0.265 seconds - Good on Transaction time
OK - 65.202.51.98 resolves to
Warning - Reverse DNS does not match SMTP Banner
Session Transcript:
HELO please-read-policy.mxtoolb
250 domain.com Hello [64.xxx.xxx.133] [78 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 supertool@mxtoolbox.com...
RCPT TO: <test@example.com>
550 5.7.1 Unable to relay for test@example.com [78 ms]
QUIT
221 2.0.0 domain2.com Service closing transmission channel [47 ms]
1. Create a DNS A Recordrecord for mail.domain2.com to 65.xxx.xxx.xxx
2. Wait until that info has propagted in DNS so that when someone from OUTSIDE your organization pings mail.domain2.com, they get a reply fro 65.xxx.xxx.xxx
Contact your ISP (or whoever owns the IP Address 65.xxx.xxx.xxx) and ask them to change the PTR for 65.xxx.xxx.xxx from domain2.com to mail.domain2.com.
4. Wait until that info has propagated
5. Change the SMTP Banner from domain2.com to mail.domain2.com
After that's done,
1. your mail.domain2.com A record resolves to 65.xxx.xxx.xxx
2. your smtp banner resolves to your IP Address 65.xxx.xxx.xxx
3. your PTR resolves to mail.domain2.com which resolves to 65.xxx.xxx.xxx
4. Everyone should be happy :)
2. Wait until that info has propagted in DNS so that when someone from OUTSIDE your organization pings mail.domain2.com, they get a reply fro 65.xxx.xxx.xxx
Contact your ISP (or whoever owns the IP Address 65.xxx.xxx.xxx) and ask them to change the PTR for 65.xxx.xxx.xxx from domain2.com to mail.domain2.com.
4. Wait until that info has propagated
5. Change the SMTP Banner from domain2.com to mail.domain2.com
After that's done,
1. your mail.domain2.com A record resolves to 65.xxx.xxx.xxx
2. your smtp banner resolves to your IP Address 65.xxx.xxx.xxx
3. your PTR resolves to mail.domain2.com which resolves to 65.xxx.xxx.xxx
4. Everyone should be happy :)
I would not use mail.domainname.com, I would use something different like I have suggested, such as outgoing.domain.com
rehamris
the pointer now is to bshc.mydomain.com
i changed the fqdn to bshc.mydomain.com
i have an A record with bshc.mydomain.com ( which resolves to 65.xxx.xxx.xxx)
what i'm trying to say here is all your 3 conditions are met but i still get the reverse dns does not match, and i'm still having the same emails in the que.
I would change it later to something like outgoing.mydomain.com however the 3 conditions are met for now and its not solving it.
the pointer now is to bshc.mydomain.com
i changed the fqdn to bshc.mydomain.com
i have an A record with bshc.mydomain.com ( which resolves to 65.xxx.xxx.xxx)
what i'm trying to say here is all your 3 conditions are met but i still get the reverse dns does not match, and i'm still having the same emails in the que.
I would change it later to something like outgoing.mydomain.com however the 3 conditions are met for now and its not solving it.
Problem I see is that bshc.yourdomain.com resolves to 64.119.xx.xx and not 65.202.x.x
C:\> nslookup bshc.yourdomain.com
Non-authoritative answer:
Name: domain.com
Address: 64.xxx.xxx.75
This needs to come full circle and resolve to the 65.202 address but if you change THIS address, you'll likely destroy your website connection.
Change everything to mail.domain2.com to have mail.domain2.com resolve to 65.xxx.xxx.xxx
Change your PTR to mail.domain2.com
Change your SMTP Banner to mail.domain2.com
C:\> nslookup bshc.yourdomain.com
Non-authoritative answer:
Name: domain.com
Address: 64.xxx.xxx.75
This needs to come full circle and resolve to the 65.202 address but if you change THIS address, you'll likely destroy your website connection.
Change everything to mail.domain2.com to have mail.domain2.com resolve to 65.xxx.xxx.xxx
Change your PTR to mail.domain2.com
Change your SMTP Banner to mail.domain2.com
ok i will do that and let you know
but one thing i can't understand is since our emails are @domain.org why are we adjusting the bshc.mydomain.com??
thanks
but one thing i can't understand is since our emails are @domain.org why are we adjusting the bshc.mydomain.com??
thanks
You need all of the information to match. In this case,
1. Setup an A record for mail.yourinfodomain.org to 65.202.xx.yy
2. You should setup the PTR for your IP Address to mail.yourinfodomain.org
3. Change the SMTP banner to mail.yourinfodomain.org
Let's obscure this later
1. Setup an A record for mail.yourinfodomain.org to 65.202.xx.yy
2. You should setup the PTR for your IP Address to mail.yourinfodomain.org
3. Change the SMTP banner to mail.yourinfodomain.org
Let's obscure this later
alanhardisty:
i did not turn off the cisco smtp inspection yet, but i will once i go to the office tomorrow.
rehamris:
now i'm confused may be i should send u an attachment with an image that shows the way the dns is configured so u can decide what exactly to modify, because we are talking about 2 domains here and now you are telling me to change the records of the .org one.
i dont feel comfortable showing the dns setup here on this page but i would email it to your email
thanks
i did not turn off the cisco smtp inspection yet, but i will once i go to the office tomorrow.
rehamris:
now i'm confused may be i should send u an attachment with an image that shows the way the dns is configured so u can decide what exactly to modify, because we are talking about 2 domains here and now you are telling me to change the records of the .org one.
i dont feel comfortable showing the dns setup here on this page but i would email it to your email
thanks
The domain name is not relevant.
Everything simply has to match.
When you send an email, the receiving server sees your Mail Server Name e.g., mail.yourdomain.com. They also see you IP address e.g., 123.123.123.123.
When they check IP 123.123.123.123 to see if you have Reverse DNS setup, the name they want to see is mail.yourdomain.com. If they don't, then you will get rejected.
In addition, mail.yourdomain.com needs to correctly resolve in DNS to the same IP address that you are sending from otherwise you will get rejected.
Once all the names match the IPs and the IPs match the names, your mail will flow.
Everything simply has to match.
When you send an email, the receiving server sees your Mail Server Name e.g., mail.yourdomain.com. They also see you IP address e.g., 123.123.123.123.
When they check IP 123.123.123.123 to see if you have Reverse DNS setup, the name they want to see is mail.yourdomain.com. If they don't, then you will get rejected.
In addition, mail.yourdomain.com needs to correctly resolve in DNS to the same IP address that you are sending from otherwise you will get rejected.
Once all the names match the IPs and the IPs match the names, your mail will flow.
-
![]()
received a Solution
Internal DNS for email server resolving to reverse lookup in public DNS -
![]()
wrote an Article
![]()
Azure SMTP Restrictions & Resolution with SMTP Relay Services
-
![]()
created a Video
![]()
Configuring Windows 2019 Server Core
-
Explore Cloud Class® ![]()
Certification: MCSA MCSE Microsoft Certified Solutions Associate & Systems Engineer - Administering Windows Server 2012 R2
Premium Content
You need an Expert Office subscription to comment.Start Free Trial