Link to home
Start Free TrialLog in
Avatar of rhinoceros
rhinoceros

asked on

Reverse DNS does not match SMTP Banner

                    Internet
                           |
AntiVirus Mail Gateway (192.168.20.11)
                           |
AntiSpam Gateway (192.168.20.12)
                           |
       <<<<< SMTP Connector >>>>
                           |
MS Exchange (192.168.1.10, hostname: mail1,FQDN: mail.domain.com)
 

So far, we'are using MS Exchange 2003 server for many years, it's fine... just find one client's postfix server “HELO FQDN check" rule reject our domain.

By the way, I have checked by some antispam website to get those messages
"Reverse DNS does not match SMTP Banner" or "Your helo or sender is not FQDN"

1. "HELO FQDN" is one common Anti-Spam rule ? not PTR ?
2. What can we do ? On Exhcnage server or SMTP connector, or and AntiSpam server ?


Thanks !
Avatar of boxerenterprises
boxerenterprises

You need to use a smart host to send your emails through.
Avatar of rhinoceros

ASKER

But I don't know how to set ? Where ? On Exchange or Gateway ? Can explain more please ?
You can setup a smart host in the SMTP connector. You will need to have a smart host to send through. Contact your ISP for their SMTP server to use
Our current SMTP connector setting, what's wrong ?

(Selected)
(Forward all mail through this connector to the following smart hosts)
[192.168.20.12]

Local bridgeheads:
MAIL1 (Default SMTP Virtual Server)

(Sorry ! never set smarthost before...)
One more, why contact our ISP for SMTP server.... you mean we need do some registration to ISP same as PTR ?
You need to replace 192.168.20.12 with a proper smart host. The smart host will be a fully qualified SMTP server that accepts your domain name. This is normally provided by your ISP.
ASKER CERTIFIED SOLUTION
Avatar of boxerenterprises
boxerenterprises

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Using a smarthost is working around the problem.

Ideally you should set up a reverse dns record (or your ISP should if asked).
BoxEnterprise is right.
You need to call your ISP and setup a ptr record for your mail.domain.com > to point to your public IP address.
It'll probably easier and faster to change the SMTP banner to match whatever the reverse DNS is...assuming it's an acceptable one (no IP embedded in name or words like dynamic, res, dhcp, ppp, etc...) .

How does your mail go out to the internet? Does it go straight from Exchange to the internet? Or does Exchange forward the mail to the antivirus/antispam gateways? If it goes straight out you can simply change the banner in exchange:

Open system manager
Servers -> your server -> protocols -> SMTP -> right-click properties on smtp virtual server -> delivery tab -> advanced button -> fully qualified domain name

Change this to match your reverse DNS if your reverse DNS doesn't look dynamic or residential. If it does, call your ISP and have them change it to mail.yourdomain.com and make the banner match here.
                    Internet (Public Static IP - 64.x.x.x)
                           |
AntiVirus Mail Gateway (192.168.20.11)
                           |
AntiSpam Gateway (192.168.20.12)
                           |
       <<<<< SMTP Connector >>>>
                           |
MS Exchange (192.168.1.10, hostname: mail1,FQDN: mail.domain.com)


Whiterat:
>>Using a smarthost is working around the problem.
>> Ideally you should set up a reverse dns record (or your ISP should if asked).

So far, we have registered PTR (reverse DNS llokup) to our ISP
- nslookup mail.domain.com
Non-authoritative answer:
Name: mail.domain.com
Address: 64.x.x.x

jar3817:
>>Exchange forward the mail to the antivirus/antispam gateways? If it goes straight out you can simply
>>change the banner in exchange:
Exchaneg email forward the mail by SMTP connector --> AntiSpam --> AntiVirus --> Internet.

>>Open system manager
>>Servers -> your server -> protocols -> SMTP -> right-click properties on smtp virtual server ->
>>delivery tab -> advanced button -> fully qualified domain name
As before I said Exchanger FQDN has been already changed to "mail.domain.com"

boxerenterprises:
>>after looking at your diagram again, you will need to setup you ISP smart host in your AntiVirus Mail
>>Gateway (192.168.20.11)
You mean setup AntiVirus Mail Gateway smart host to mail.domain.com, rite ?

Since exchange uses the AntiSpam/AntiVirus Gateway as a smarthost, does that introduce itself as something different?

RFC-821 stipulates that you should introduce yourself with an FQDN in the HELO/EHLO statement.

So the AntiSpam/AntiVirus Gateway should issue "HELO mail.domain.com" and mail.domain.com should resolve to x.x.x.x and x.x.x.x should have a PTR record to mail.domain.com.

Just to reiterate, there is no actual need to use the smarthost from your ISP.

Whiterat:

So what should we do now to solve "Reverse DNS does not match SMTP Banner" ?
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
>>If you telnet to mail.domain.com on port 25 does the 220 produce the correct name?

No.
what do you get when you telnet to mail.domain.com

start > run > cmd
telnet mail.domain.com 25

EHLO

Can you copy paste the banner here

thanks
telnet mail.domain.com 25

220 gateway1 SMTP; Tue, 14 Sep 2010
ehlo
250 gateway1 Hello
this is EHLO from
AntiVirus Mail Gateway (192.168.20.11)
>>this is EHLO from
>>AntiVirus Mail Gateway (192.168.20.11)

Yes
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
So far, I focus on smarthost... but the AntiVirus Mail Gateway is one of Windows based software, and a standalone server is placed to DMZ.  Therefore, it can be solved when server's "Primary DNS suffix" updated.

Anyway, many thanks for your help !