Solved

Reverse DNS does not match SMTP Banner

Posted on 2010-09-13
20
1,861 Views
Last Modified: 2013-11-05
                    Internet
                           |
AntiVirus Mail Gateway (192.168.20.11)
                           |
AntiSpam Gateway (192.168.20.12)
                           |
       <<<<< SMTP Connector >>>>
                           |
MS Exchange (192.168.1.10, hostname: mail1,FQDN: mail.domain.com)
 

So far, we'are using MS Exchange 2003 server for many years, it's fine... just find one client's postfix server “HELO FQDN check" rule reject our domain.

By the way, I have checked by some antispam website to get those messages
"Reverse DNS does not match SMTP Banner" or "Your helo or sender is not FQDN"

1. "HELO FQDN" is one common Anti-Spam rule ? not PTR ?
2. What can we do ? On Exhcnage server or SMTP connector, or and AntiSpam server ?


Thanks !
0
Comment
Question by:rhinoceros
  • 8
  • 4
  • 4
  • +2
20 Comments
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33660610
You need to use a smart host to send your emails through.
0
 
LVL 13

Author Comment

by:rhinoceros
ID: 33660638
But I don't know how to set ? Where ? On Exchange or Gateway ? Can explain more please ?
0
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33660646
You can setup a smart host in the SMTP connector. You will need to have a smart host to send through. Contact your ISP for their SMTP server to use
0
 
LVL 13

Author Comment

by:rhinoceros
ID: 33660668
Our current SMTP connector setting, what's wrong ?

(Selected)
(Forward all mail through this connector to the following smart hosts)
[192.168.20.12]

Local bridgeheads:
MAIL1 (Default SMTP Virtual Server)

(Sorry ! never set smarthost before...)
One more, why contact our ISP for SMTP server.... you mean we need do some registration to ISP same as PTR ?
0
 
LVL 2

Expert Comment

by:boxerenterprises
ID: 33660719
You need to replace 192.168.20.12 with a proper smart host. The smart host will be a fully qualified SMTP server that accepts your domain name. This is normally provided by your ISP.
0
 
LVL 2

Accepted Solution

by:
boxerenterprises earned 250 total points
ID: 33660731
Sorry, after looking at your diagram again, you will need to setup you ISP smart host in your AntiVirus Mail Gateway (192.168.20.11)
0
 
LVL 4

Expert Comment

by:Whiterat
ID: 33660851
Using a smarthost is working around the problem.

Ideally you should set up a reverse dns record (or your ISP should if asked).
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33661098
BoxEnterprise is right.
You need to call your ISP and setup a ptr record for your mail.domain.com > to point to your public IP address.
0
 
LVL 26

Expert Comment

by:jar3817
ID: 33661233
It'll probably easier and faster to change the SMTP banner to match whatever the reverse DNS is...assuming it's an acceptable one (no IP embedded in name or words like dynamic, res, dhcp, ppp, etc...) .

How does your mail go out to the internet? Does it go straight from Exchange to the internet? Or does Exchange forward the mail to the antivirus/antispam gateways? If it goes straight out you can simply change the banner in exchange:

Open system manager
Servers -> your server -> protocols -> SMTP -> right-click properties on smtp virtual server -> delivery tab -> advanced button -> fully qualified domain name

Change this to match your reverse DNS if your reverse DNS doesn't look dynamic or residential. If it does, call your ISP and have them change it to mail.yourdomain.com and make the banner match here.
0
 
LVL 13

Author Comment

by:rhinoceros
ID: 33663438
                    Internet (Public Static IP - 64.x.x.x)
                           |
AntiVirus Mail Gateway (192.168.20.11)
                           |
AntiSpam Gateway (192.168.20.12)
                           |
       <<<<< SMTP Connector >>>>
                           |
MS Exchange (192.168.1.10, hostname: mail1,FQDN: mail.domain.com)


Whiterat:
>>Using a smarthost is working around the problem.
>> Ideally you should set up a reverse dns record (or your ISP should if asked).

So far, we have registered PTR (reverse DNS llokup) to our ISP
- nslookup mail.domain.com
Non-authoritative answer:
Name: mail.domain.com
Address: 64.x.x.x

jar3817:
>>Exchange forward the mail to the antivirus/antispam gateways? If it goes straight out you can simply
>>change the banner in exchange:
Exchaneg email forward the mail by SMTP connector --> AntiSpam --> AntiVirus --> Internet.

>>Open system manager
>>Servers -> your server -> protocols -> SMTP -> right-click properties on smtp virtual server ->
>>delivery tab -> advanced button -> fully qualified domain name
As before I said Exchanger FQDN has been already changed to "mail.domain.com"

boxerenterprises:
>>after looking at your diagram again, you will need to setup you ISP smart host in your AntiVirus Mail
>>Gateway (192.168.20.11)
You mean setup AntiVirus Mail Gateway smart host to mail.domain.com, rite ?

0
Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

 
LVL 4

Expert Comment

by:Whiterat
ID: 33663571
Since exchange uses the AntiSpam/AntiVirus Gateway as a smarthost, does that introduce itself as something different?

RFC-821 stipulates that you should introduce yourself with an FQDN in the HELO/EHLO statement.

So the AntiSpam/AntiVirus Gateway should issue "HELO mail.domain.com" and mail.domain.com should resolve to x.x.x.x and x.x.x.x should have a PTR record to mail.domain.com.

Just to reiterate, there is no actual need to use the smarthost from your ISP.

0
 
LVL 13

Author Comment

by:rhinoceros
ID: 33663868
Whiterat:

So what should we do now to solve "Reverse DNS does not match SMTP Banner" ?
0
 
LVL 4

Assisted Solution

by:Whiterat
Whiterat earned 100 total points
ID: 33664032
Just to try to work out mail flow, what sits on the outside to accept mail?

The AntiVirus Mail Gateway or the AntiSpam Gateway?

If you telnet to mail.domain.com on port 25 does the 220 produce the correct name?

Thanks.
0
 
LVL 13

Author Comment

by:rhinoceros
ID: 33668479
>>If you telnet to mail.domain.com on port 25 does the 220 produce the correct name?

No.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33668497
what do you get when you telnet to mail.domain.com

start > run > cmd
telnet mail.domain.com 25

EHLO

Can you copy paste the banner here

thanks
0
 
LVL 13

Author Comment

by:rhinoceros
ID: 33668508
telnet mail.domain.com 25

220 gateway1 SMTP; Tue, 14 Sep 2010
ehlo
250 gateway1 Hello
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33668586
this is EHLO from
AntiVirus Mail Gateway (192.168.20.11)
0
 
LVL 13

Author Comment

by:rhinoceros
ID: 33668594
>>this is EHLO from
>>AntiVirus Mail Gateway (192.168.20.11)

Yes
0
 
LVL 28

Assisted Solution

by:sunnyc7
sunnyc7 earned 150 total points
ID: 33668620
rhinoceros - we are going along a different direction with this.
If your config is this

Internet (Public Static IP - 64.x.x.x)
                           |
AntiVirus Mail Gateway (192.168.20.11)
                           |
AntiSpam Gateway (192.168.20.12)
                           |
       <<<<< SMTP Connector >>>>
                           |

>> there is nothing we can do with that. Baracuda / watchguard / anti spam etc will provide the SMTP banner - and we cant change that.

The solution for you is what box enterprise suggested earlier and I seconded - you need to contact your ISP
ask them to setup a PTR record for your 64.x.x.x - which points to your mx record
www.mxtoolbox.com
check your first MX record which corresponds to 64.xx -

ask your ISP to set that in their DNS since they own the IP address subnet
0
 
LVL 13

Author Closing Comment

by:rhinoceros
ID: 33678981
So far, I focus on smarthost... but the AntiVirus Mail Gateway is one of Windows based software, and a standalone server is placed to DMZ.  Therefore, it can be solved when server's "Primary DNS suffix" updated.

Anyway, many thanks for your help !
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Familiarize people with the process of utilizing SQL Server stored procedures from within Microsoft Access. Microsoft Access is a very powerful client/server development tool. One of the SQL Server objects that you can interact with from within Micr…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now