Solved

Reverse DNS does not match SMTP Banner

Posted on 2010-09-13
20
1,865 Views
Last Modified: 2013-11-05
                    Internet
                           |
AntiVirus Mail Gateway (192.168.20.11)
                           |
AntiSpam Gateway (192.168.20.12)
                           |
       <<<<< SMTP Connector >>>>
                           |
MS Exchange (192.168.1.10, hostname: mail1,FQDN: mail.domain.com)
 

So far, we'are using MS Exchange 2003 server for many years, it's fine... just find one client's postfix server “HELO FQDN check" rule reject our domain.

By the way, I have checked by some antispam website to get those messages
"Reverse DNS does not match SMTP Banner" or "Your helo or sender is not FQDN"

1. "HELO FQDN" is one common Anti-Spam rule ? not PTR ?
2. What can we do ? On Exhcnage server or SMTP connector, or and AntiSpam server ?


Thanks !
0
Comment
Question by:rhinoceros
  • 8
  • 4
  • 4
  • +2
20 Comments
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33660610
You need to use a smart host to send your emails through.
0
 
LVL 13

Author Comment

by:rhinoceros
ID: 33660638
But I don't know how to set ? Where ? On Exchange or Gateway ? Can explain more please ?
0
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33660646
You can setup a smart host in the SMTP connector. You will need to have a smart host to send through. Contact your ISP for their SMTP server to use
0
 
LVL 13

Author Comment

by:rhinoceros
ID: 33660668
Our current SMTP connector setting, what's wrong ?

(Selected)
(Forward all mail through this connector to the following smart hosts)
[192.168.20.12]

Local bridgeheads:
MAIL1 (Default SMTP Virtual Server)

(Sorry ! never set smarthost before...)
One more, why contact our ISP for SMTP server.... you mean we need do some registration to ISP same as PTR ?
0
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33660719
You need to replace 192.168.20.12 with a proper smart host. The smart host will be a fully qualified SMTP server that accepts your domain name. This is normally provided by your ISP.
0
 
LVL 2

Accepted Solution

by:
boxerenterprises earned 250 total points
ID: 33660731
Sorry, after looking at your diagram again, you will need to setup you ISP smart host in your AntiVirus Mail Gateway (192.168.20.11)
0
 
LVL 4

Expert Comment

by:Whiterat
ID: 33660851
Using a smarthost is working around the problem.

Ideally you should set up a reverse dns record (or your ISP should if asked).
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33661098
BoxEnterprise is right.
You need to call your ISP and setup a ptr record for your mail.domain.com > to point to your public IP address.
0
 
LVL 26

Expert Comment

by:jar3817
ID: 33661233
It'll probably easier and faster to change the SMTP banner to match whatever the reverse DNS is...assuming it's an acceptable one (no IP embedded in name or words like dynamic, res, dhcp, ppp, etc...) .

How does your mail go out to the internet? Does it go straight from Exchange to the internet? Or does Exchange forward the mail to the antivirus/antispam gateways? If it goes straight out you can simply change the banner in exchange:

Open system manager
Servers -> your server -> protocols -> SMTP -> right-click properties on smtp virtual server -> delivery tab -> advanced button -> fully qualified domain name

Change this to match your reverse DNS if your reverse DNS doesn't look dynamic or residential. If it does, call your ISP and have them change it to mail.yourdomain.com and make the banner match here.
0
 
LVL 13

Author Comment

by:rhinoceros
ID: 33663438
                    Internet (Public Static IP - 64.x.x.x)
                           |
AntiVirus Mail Gateway (192.168.20.11)
                           |
AntiSpam Gateway (192.168.20.12)
                           |
       <<<<< SMTP Connector >>>>
                           |
MS Exchange (192.168.1.10, hostname: mail1,FQDN: mail.domain.com)


Whiterat:
>>Using a smarthost is working around the problem.
>> Ideally you should set up a reverse dns record (or your ISP should if asked).

So far, we have registered PTR (reverse DNS llokup) to our ISP
- nslookup mail.domain.com
Non-authoritative answer:
Name: mail.domain.com
Address: 64.x.x.x

jar3817:
>>Exchange forward the mail to the antivirus/antispam gateways? If it goes straight out you can simply
>>change the banner in exchange:
Exchaneg email forward the mail by SMTP connector --> AntiSpam --> AntiVirus --> Internet.

>>Open system manager
>>Servers -> your server -> protocols -> SMTP -> right-click properties on smtp virtual server ->
>>delivery tab -> advanced button -> fully qualified domain name
As before I said Exchanger FQDN has been already changed to "mail.domain.com"

boxerenterprises:
>>after looking at your diagram again, you will need to setup you ISP smart host in your AntiVirus Mail
>>Gateway (192.168.20.11)
You mean setup AntiVirus Mail Gateway smart host to mail.domain.com, rite ?

0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 4

Expert Comment

by:Whiterat
ID: 33663571
Since exchange uses the AntiSpam/AntiVirus Gateway as a smarthost, does that introduce itself as something different?

RFC-821 stipulates that you should introduce yourself with an FQDN in the HELO/EHLO statement.

So the AntiSpam/AntiVirus Gateway should issue "HELO mail.domain.com" and mail.domain.com should resolve to x.x.x.x and x.x.x.x should have a PTR record to mail.domain.com.

Just to reiterate, there is no actual need to use the smarthost from your ISP.

0
 
LVL 13

Author Comment

by:rhinoceros
ID: 33663868
Whiterat:

So what should we do now to solve "Reverse DNS does not match SMTP Banner" ?
0
 
LVL 4

Assisted Solution

by:Whiterat
Whiterat earned 100 total points
ID: 33664032
Just to try to work out mail flow, what sits on the outside to accept mail?

The AntiVirus Mail Gateway or the AntiSpam Gateway?

If you telnet to mail.domain.com on port 25 does the 220 produce the correct name?

Thanks.
0
 
LVL 13

Author Comment

by:rhinoceros
ID: 33668479
>>If you telnet to mail.domain.com on port 25 does the 220 produce the correct name?

No.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33668497
what do you get when you telnet to mail.domain.com

start > run > cmd
telnet mail.domain.com 25

EHLO

Can you copy paste the banner here

thanks
0
 
LVL 13

Author Comment

by:rhinoceros
ID: 33668508
telnet mail.domain.com 25

220 gateway1 SMTP; Tue, 14 Sep 2010
ehlo
250 gateway1 Hello
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33668586
this is EHLO from
AntiVirus Mail Gateway (192.168.20.11)
0
 
LVL 13

Author Comment

by:rhinoceros
ID: 33668594
>>this is EHLO from
>>AntiVirus Mail Gateway (192.168.20.11)

Yes
0
 
LVL 28

Assisted Solution

by:sunnyc7
sunnyc7 earned 150 total points
ID: 33668620
rhinoceros - we are going along a different direction with this.
If your config is this

Internet (Public Static IP - 64.x.x.x)
                           |
AntiVirus Mail Gateway (192.168.20.11)
                           |
AntiSpam Gateway (192.168.20.12)
                           |
       <<<<< SMTP Connector >>>>
                           |

>> there is nothing we can do with that. Baracuda / watchguard / anti spam etc will provide the SMTP banner - and we cant change that.

The solution for you is what box enterprise suggested earlier and I seconded - you need to contact your ISP
ask them to setup a PTR record for your 64.x.x.x - which points to your mx record
www.mxtoolbox.com
check your first MX record which corresponds to 64.xx -

ask your ISP to set that in their DNS since they own the IP address subnet
0
 
LVL 13

Author Closing Comment

by:rhinoceros
ID: 33678981
So far, I focus on smarthost... but the AntiVirus Mail Gateway is one of Windows based software, and a standalone server is placed to DMZ.  Therefore, it can be solved when server's "Primary DNS suffix" updated.

Anyway, many thanks for your help !
0

Featured Post

Will my email signature work in Office 365?

You've built an email signature using raw HTML code in Office 365, but you can't review how it looks with Transport Rules. So you have to test it over and over again before it can be used. Isn't this a bit of a waste of your time? Wouldn't a WYSIWYG editor make it a lot easier?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Utilizing an array to gracefully append to a list of EmailAddresses
We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now