Exchange 2007 Reverse Lookup

We have an Exchange Server that we host at our company. We have many sub-divisions in our firm through mergers, etc. Recently we added a new email Domain to our company.
The server name for out mail is mx1.sixls.com. We added a new DOMAIN for mail named lipmanproduce.com. "In the World" outside DNS we placed a MX record that directs lipmanproduce.com mail to our mx1.sixls.com mail server. The problem we are having now is that some of our employes are having their mail bounced by recieving mail servers because they are looking back at the mail server and seeing mx1.sixls.com and not a lipmanproduce.com  name. What do I have to do to properly add the DNS (and where) so that recieving mail servers will accept the mail from our mail server.?
I have a pic attached as well. DNS Lookup
NaplesFLDaveAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Em ManCommented:
When did you change/update your MX Record?

before visiting this site?
0
scriven_jCommented:
You need to set-up an SPF record (or a TXT record if your DNS providor doesn't support SPF as a record type)

You can create the exact syntax using a wizard such as:-

http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/

The format will be something like (based on your screenshot):-

"v=spf1 mx a a:mx1.sixls.com a:lipmanproduce.com ip4:74.118.233.14/32 -all"

You also have to tell Exchange 2007 that it is responsible for that domain.

Post back if you don't understand or need more detail
0
NaplesFLDaveAuthor Commented:
FOR...taga_ipil : We added the MX pointer months ago. And we have been recieving mail to our server without any problems. It wasn't until recently that we changed our default employees email addresses to the lipmanproduce.com .

FOR...scriven : Our server has been delivering incoming mail from the world to our employees exchange mail boxes for many weeks now. Each user has a lipnamproduce mail address added to it along with their sixls.com address. This problem has appeared since we made the lipman produce the default reply to address for our employees' mail boxes.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

Em ManCommented:
Hi Nap,

scriven is right, this can be resolve by using SPF Record.
is SPF implemented in your system?
0
NaplesFLDaveAuthor Commented:
In my Exchange Server Management Console under Anti-Spam Tab it has setting for checking a senders "PRA" Purported Responsible Address. Look at it, and if it does not match , reject it or something. It seems that I have to set MY lipmanproduce "PRA" somewhere. How or where do I set my lipmanproduce PRA for recieving servers to see?
0
NaplesFLDaveAuthor Commented:
taga_ipil,
It does NOT look like I have any SPF records in my system for any of my accepted domain mail.
I ran the Microsoft tool on my working domains mail and they do not show a SPF record. But they work. So they must have a "PRA" that is working somewhere.
~Dave
0
scriven_jCommented:
You still need the SPF record as more and more people are now doing a lookup on whether the sending server is valid for the domain the Email is coming from as this is often a sign that the Email address is spoofed.  If you set-up the SPF record, then you are stating that the mail server is valid for that demain even if the address is different.

I had a similar problem with one of my clients and the SPF record resolved it.
0
Em ManCommented:
Hi Nap,

there is a possibility that since there is no SPF record to specify which host handle the domain name, the querying servers is defaulting to your old domain, having SPF will definitely resolved this on multiple domains hosted in a company.

and most importantly, SPF can help your email server reputation.

but we can wait for some experts if they have additional ideas.
0
NaplesFLDaveAuthor Commented:
To scriven_j: Where does the SPF record LIVE? AKA: do I make it somewher on MY exchange Server? Or does it have to go OUT in the WORLD on my GoDady acount somewhere?

~Dave
0
scriven_jCommented:
As well as the SPF record, you could set-up reverse DNS, although you shouldn't need to with an SPF record.

For the sake of completeness though, ask your ISP to setup a rDNS pointer (reverse DNS) on the IP address of this server.

So you would need to set an A record that points mail.lipmanproduce.com at 74.118.233.14.

You would then need your ISP to setup an rDNS record with the IP address and the hostname it needs to resolve to (74.118.233.14 to mail.lipmanproduce.com in this instance).
0
scriven_jCommented:
The DNS record would be whoever looks after your EXTERNAL DNS.
0
scriven_jCommented:
Sounds like GoDaddy from what you have said.  Do you have a Control Panel or something like that?
0
NaplesFLDaveAuthor Commented:
It is GoDaddy. And there is a Control Panel. The (A) record for lipmanproduce.com points to our WEB SITE provider 184.168.136.128. And the (MX) record points to our Exchange Server 74.118.233.14

Does that help?

~Dave
0
scriven_jCommented:
OK - so you need another A record for mail.lipmanproduce.com which points at 74.118.233.14.

You need an SPF record (or a TXT record if SPF is not an option) which is:-

"v=spf1 mx a a:mail.lipmanproduce.com a:mx1.sixls.com a:lipmanproduce.com ip4:74.118.233.14/32 -all"

(must include the double-quotes as above)

For completeness, you would then need GoDaddy (may or may not be rDNS in your control panel) to set-up a reverse DNS record which points 74.118.233.14 to mail.lipmanproduce.com

These changes can take up to 48 hours to replicate, but if you let me know when you have done them, I can check all looks as expected on mxtoolbox.com
0
scriven_jCommented:
To clarify the situation:-

When you send an Email, these days because of spoofed Emails, more and more servers check if the sending server is valid for the domain name.  Some of them look at the SPF record, some of them do a reverse lookup on the IP address.  As soon as you changed the default sending address, this then became incorrect for your users.

So what we need to do is give the server a name on the lipmanproduce.com domain which points at this server (otherwise they will find your website server IP address when they do a reverse lookup and assume that you are spoofing Email addresses).

You also need to set-up an SPF record as this record shows ALL the mail servers that are valid for this domain (even if the names do not match up).

Once you have these records up and running, everything should go back to normal!
0
NaplesFLDaveAuthor Commented:
is that ( -all" ) supposed to be a ( ~all")  .

~Dave
0
scriven_jCommented:
You also need to tell Exchange 2007 that it is responsible for the lipmanproduce.com domain, but I assume from what you have said that this is already working OK for inbound mail?  Is that correct?  You would only need an MX record internally if you had multiple servers in your mailflow which I assume you don't as you haven't mentioned it.

The standard DNS records needed by Exchange internally would have been set-up during installation.

Hope that all makes a bit more sense!
0
scriven_jCommented:
No.  Should be -all
0
NaplesFLDaveAuthor Commented:
Yes, EXCHANGE is accepting incoming mail for lipmanproduce.com just fine. And we only have one mail server. It's just (some of the)  RECIPIENT mail servers that are bouncing the messages back to the users.
0
NaplesFLDaveAuthor Commented:
Just wondering on the TILDE. The Microsoft web site WIZARD uses a TILDE ~all .
0
scriven_jCommented:
OK - sounds like Exchange is fine then.  Let us know how you get on with the DNS changes.
0
NaplesFLDaveAuthor Commented:
I am going to GoDaddy right now to see if I can make the changes.
0
scriven_jCommented:
Maybe you can use either.  I got the syntax from a valid one that I set-up previously.  If you feel uncomfortable use the ~ instead!

Post back if you have any issues.
0
scriven_jCommented:
...or if you want me to check the changes once they have been made.
0
NaplesFLDaveAuthor Commented:
I called GoDaddy for help and they gave me none. I made some changes to the SPF records. I have tried to send to the outside servers that were rejecting me earlier and they still are. The message I get back is.

#< #5.7.1 smtp;550 5.7.1 RESOLVER.RST.NotAuthorized; not authorized> #SMTP#

GoDaddy said it would take 48 hours anyway and to wait. But I ran the mxtoolbox thing and it looks to be reading my changes.
~Dave
0
NaplesFLDaveAuthor Commented:
More error Details. Note the bottom.

X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S:99.90000/99.90000 CV:99.9000 FC: 0.1839 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1
X-pstn-addresses: from <david.king@lipmanproduce.com> [db-null]
Return-Path: david.king@lipmanproduce.com
Received-SPF: SoftFail (enctcapp221.PA.LCL: domain of transitioning
 david.king@lipmanproduce.com discourages use of 64.18.2.110 as permitted
 sender)

0
NaplesFLDaveAuthor Commented:
I just noticed that the ORIGINAL employees' Bounced message has a different error at nthe bottom. And it is using our sixls.com addres not the lipmanproduce.com one. !

Please look over this ORIGINAL error below:

Diagnostic information for administrators:

Generating server: PA.LCL

cboettinge@state.pa.us
#< #5.7.1 smtp;550 5.7.1 RESOLVER.RST.NotAuthorized; not authorized> #SMTP#

Original message headers:

Received: from enctcapp221.PA.LCL (172.19.222.35) by ENHBGHTS02.PA.LCL
 (206.224.21.43) with Microsoft SMTP Server (TLS) id 8.2.254.0; Thu, 6 Oct
 2011 11:54:39 -0400
Received: from psmtp.com (64.18.2.185) by mail01.state.pa.us (172.19.223.35)
 with Microsoft SMTP Server (TLS) id 8.2.255.0; Thu, 6 Oct 2011 11:54:39 -0400
Received: from mx1.sixls.com ([74.118.233.14]) (using TLSv1) by
 exprod7mx232.postini.com ([64.18.6.14]) with SMTP;      Thu, 06 Oct 2011 10:54:38
 CDT
Received: from mx1.sixls.com ([10.1.11.71]) by mx1.sixls.com ([10.1.11.71])
 with mapi; Thu, 6 Oct 2011 11:54:35 -0400
From: Christine Sonderby <csonderby@sixls.com>
To: "cboettinge@state.pa.us" <cboettinge@state.pa.us>
Date: Thu, 6 Oct 2011 11:54:33 -0400
Subject: Info on your seed vacuum planting system
Thread-Topic: Info on your seed vacuum planting system
Thread-Index: AcyEQD3q1i/MQZRlSziMVXL6LAXfVg==
Message-ID: <E11520DDF8627C4695DFB911ADE27D0EE79804197F@mx1.sixls.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ninja-pim: Scanned by Ninja
x-ninja-attachmentfiltering: (no action)
acceptlanguage: en-US
Content-Type: multipart/mixed;
      boundary="_004_E11520DDF8627C4695DFB911ADE27D0EE79804197Fmx1sixlscom_"
MIME-Version: 1.0
X-pstn-levels: (S:40.57337/99.90000 CV:99.9000 FC:95.5390 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1
X-pstn-addresses: from <csonderby@sixls.com> [db-null]
Return-Path: csonderby@sixls.com
Received-SPF: None (enctcapp221.PA.LCL: csonderby@sixls.com does not
 designate permitted sender hosts)

0
scriven_jCommented:
OK - so the original error message says that there is NO spf, the second recognises the SPF, but fails the test.

According to the message, it is seeing the mail server as being IP address 64.18.2.110 as the sending servers IP address which is different to the one listed in your post.  Do you know what that IP address is?  (reverse look up for that IP address says exprod7mx256.postini.com).

If that is a valid mail server, then we need to add that to the SPF record, if it is not, then we need to understand the mailflow and what that record might be.

If you have a Gmail account or something like that, it would be good to send a test mail to that account and then post the message header here for inspection.

0
NaplesFLDaveAuthor Commented:
Thank You. I too noticed that eror IP number. I asked the oldest tech here about the mail flow and he really did not know anything. I do know that the MX1.sixls.com IP number does come into my server. I guess it must, I'm getting mail delivered here for about 12 domains.
I will send myself a message to my gmail account as you suggest and see if I can gleen the Header info and post it back. Thanks Sooo much for the work.
~Dave
0
NaplesFLDaveAuthor Commented:
Here is the message Header from my test to Googlr.

                                                                                                                                                                                                                                                             
Delivered-To: naplesfoxpro@gmail.com
Received: by 10.42.239.74 with SMTP id kv10cs188648icb;
        Thu, 6 Oct 2011 12:27:53 -0700 (PDT)
Received: by 10.236.145.103 with SMTP id o67mr5441643yhj.126.1317929272779;
        Thu, 06 Oct 2011 12:27:52 -0700 (PDT)
Return-Path: <david.king@lipmanproduce.com>
Received: from mx1.sixls.com ([74.118.233.14])
        by mx.google.com with ESMTPS id w12si890912anl.61.2011.10.06.12.27.52
        (version=TLSv1/SSLv3 cipher=OTHER);
        Thu, 06 Oct 2011 12:27:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of david.king@lipmanproduce.com designates 74.118.233.14 as permitted sender) client-ip=74.118.233.14;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of david.king@lipmanproduce.com designates 74.118.233.14 as permitted sender) smtp.mail=david.king@lipmanproduce.com
Received: from mx1.sixls.com ([10.1.11.71]) by mx1.sixls.com ([10.1.11.71])
 with mapi; Thu, 6 Oct 2011 15:27:51 -0400
From: David King <david.king@lipmanproduce.com>
To: "'naplesfoxpro@gmail.com'" <naplesfoxpro@gmail.com>
Date: Thu, 6 Oct 2011 15:27:50 -0400
Subject: Mail test
0
NaplesFLDaveAuthor Commented:
I re-sent a TEST MESSAGE to the state.pa.us destination and here is the rejection from that server:
***************************

Delivery has failed to these recipients or distribution lists:

cboettinge@state.pa.us
Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.







Diagnostic information for administrators:

Generating server: PA.LCL

cboettinge@state.pa.us
#< #5.7.1 smtp;550 5.7.1 RESOLVER.RST.NotAuthorized; not authorized> #SMTP#

Original message headers:

Received: from enctcapp221.PA.LCL (172.19.222.35) by ENHBGHTS03.PA.LCL
 (206.224.21.44) with Microsoft SMTP Server (TLS) id 8.2.254.0; Thu, 6 Oct
 2011 16:53:08 -0400
Received: from psmtp.com (64.18.2.101) by mail01.state.pa.us (172.19.223.35)
 with Microsoft SMTP Server (TLS) id 8.2.255.0; Thu, 6 Oct 2011 16:53:07 -0400
Received: from mx1.sixls.com ([74.118.233.14]) (using TLSv1) by
 exprod7mx247.postini.com ([64.18.6.14]) with SMTP;      Thu, 06 Oct 2011 16:53:07
 EDT
Received: from mx1.sixls.com ([10.1.11.71]) by mx1.sixls.com ([10.1.11.71])
 with mapi; Thu, 6 Oct 2011 16:53:04 -0400
From: David King <david.king@lipmanproduce.com>
To: "'cboettinge@state.pa.us'" <cboettinge@state.pa.us>
Date: Thu, 6 Oct 2011 16:53:03 -0400
Subject: Mail Test
Thread-Topic: Mail Test
Thread-Index: AcyEafDmNqtJL2+9RWaos6JANUzPoQ==
Message-ID: <C3ECA273F9B6D944869744BFA1F5A3991D184AB626@mx1.sixls.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ninja-pim: Scanned by Ninja
x-ninja-attachmentfiltering: (no action)
acceptlanguage: en-US
Content-Type: multipart/mixed;
      boundary="_006_C3ECA273F9B6D944869744BFA1F5A3991D184AB626mx1sixlscom_"
MIME-Version: 1.0
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S:99.90000/99.90000 CV:99.9000 FC: 0.1839 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1
X-pstn-addresses: from <david.king@lipmanproduce.com> [db-null]
Return-Path: david.king@lipmanproduce.com
Received-SPF: SoftFail (enctcapp221.PA.LCL: domain of transitioning
 david.king@lipmanproduce.com discourages use of 64.18.2.101 as permitted
 sender)

0
scriven_jCommented:
Well, the Google header is showing as expected and shows that the SPF record is working.  From MXTOOLBOX header analysis:-

Delivered-To naplesfoxpro@gmail.com
Return-Path <david.king@lipmanproduce.com>
Received-SPF pass (google.com: domain of david.king@lipmanproduce.com designates 74.118.233.14 as permitted sender) client-ip=74.118.233.14;
Authentication-Results mx.google.com; spf=pass (google.com: domain of david.king@lipmanproduce.com designates 74.118.233.14 as permitted sender) smtp.mail=david.king@lipmanproduce.com
From David King <david.king@lipmanproduce.com>
To "'naplesfoxpro@gmail.com'" <naplesfoxpro@gmail.com>
Date Thu, 6 Oct 2011 15:27:50 -0400
Subject Mail test


It could be that the DNS changes have not totally replicated everywhere yet and that is causing the issue, in which case it will go away in the next day or so, it could be that the mailpath needs to be changed.

We could just add that IP address to the SPF record, but it is more sensible to try and work out what this server is and if it is a necessary part of the mailflow.

In Exchange, Organization Configuration, Hub Transport

Go to the Send Connectors Tab and look at the properties of your Send Connector and look for any reference on the Network tab which might shed any light on the mailflow.
0
scriven_jCommented:
(I would set it to use DNS MX records to route mail automtically) - if there is a Smarthost, that might explain the mailflow issues.
0
NaplesFLDaveAuthor Commented:
I looked at my Send Connector and there are No smart Hosts.The Use Domain system (DNS) "MX" records to rout mail automatically. IS SELECTED.
ENABLE Domain Security (Mutual  Auth TLS) is NOT CHECKED.
Rout Mail through the following smart host is NOT Selected.
Use the External DNS Lookup settings on the transport server IS NOT CHECKED.

~Dave
0
scriven_jCommented:
Can you test it again today just to confirm that the problem still exists now the DNS has had a bit more time to replicate?
0
NaplesFLDaveAuthor Commented:
Here is a test from 10/7/2011 8:06am est:  FAILED

Delivery has failed to these recipients or distribution lists:

cboettinge@state.pa.us
Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.







Diagnostic information for administrators:

Generating server: PA.LCL

cboettinge@state.pa.us
#< #5.7.1 smtp;550 5.7.1 RESOLVER.RST.NotAuthorized; not authorized> #SMTP#

Original message headers:

Received: from enctcapp222.PA.LCL (172.19.222.36) by ENHBGHTS03.PA.LCL
 (206.224.21.44) with Microsoft SMTP Server (TLS) id 8.2.254.0; Fri, 7 Oct
 2011 08:06:40 -0400
Received: from psmtp.com (64.18.2.131) by mail01.state.pa.us (172.19.223.36)
 with Microsoft SMTP Server (TLS) id 8.2.255.0; Fri, 7 Oct 2011 08:06:40 -0400
Received: from mx1.sixls.com ([74.118.233.14]) (using TLSv1) by
 exprod7mx173.postini.com ([64.18.6.14]) with SMTP;      Fri, 07 Oct 2011 12:06:39
 GMT
Received: from mx1.sixls.com ([10.1.11.71]) by mx1.sixls.com ([10.1.11.71])
 with mapi; Fri, 7 Oct 2011 08:06:36 -0400
From: David King <david.king@lipmanproduce.com>
To: "'cboettinge@state.pa.us'" <cboettinge@state.pa.us>
Date: Fri, 7 Oct 2011 08:06:35 -0400
Subject: Mail Test
Thread-Topic: Mail Test
Thread-Index: AcyE6Y8ymZe9YIxXRyu8NnwRpfyIUQ==
Message-ID: <C3ECA273F9B6D944869744BFA1F5A3991D184AB627@mx1.sixls.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ninja-pim: Scanned by Ninja
x-ninja-attachmentfiltering: (no action)
acceptlanguage: en-US
Content-Type: multipart/mixed;
      boundary="_006_C3ECA273F9B6D944869744BFA1F5A3991D184AB627mx1sixlscom_"
MIME-Version: 1.0
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S:99.90000/99.90000 CV:99.9000 FC: 0.1839 LC:95.5390 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 1 (0.1500:0.1500) cv gt3 gt2 gt1
X-pstn-addresses: from <david.king@lipmanproduce.com> [db-null]
Return-Path: david.king@lipmanproduce.com
Received-SPF: SoftFail (enctcapp222.PA.LCL: domain of transitioning
 david.king@lipmanproduce.com discourages use of 64.18.2.131 as permitted
 sender)

0
scriven_jCommented:
I'm just having a look at the DNS entries at the moment using MXTOOLBOX.COM

I can see that rDNS has not been configured yet:-

OK - 74.118.233.14 resolves to fl-14.233.118.74-usmetrocom.com
Warning - Reverse DNS does not match SMTP Banner


You need a PTR record, but I think GoDaddy would probably need to do it, unless you have that option on your Control Panel, so that 74.118.233.14 resolves to mail.lipmanproduce.com

(you have an A record which works the other way now, but you need it to go both ways).

I am still a bit confused about the IP address 64.18.2.101 which appears in the bounced message header.  This IP address seems to be a further hop down the line and resolves to postini.com which is a Google service for scanning mail against virus and scan, but if you were using it, then you would know about it.  Maybe godaddy are using it or maybe the person you are sending to is using it.  Worth asking....
0
NaplesFLDaveAuthor Commented:
OK. I will have to Call GoDaddy about the reverse DNS entry. I didn't see anything on the control panel for it. Frankly, there support is NO SUPPORT. At least the tech I spoke to yesterday. I have 2 other failures from 2 other employees as well and they are complaing as well. I'll put them out here for you to look at as well. I don't think it's the same related error but Please look them over and let me know what you think as well.
~Dave
0
NaplesFLDaveAuthor Commented:
Another FAILED MESSAGE: Different sender and recipient:

From:       Microsoft Exchange  
Sent:      10/07/11 6:57 AM
To:      Carlo Laporta
Subject:      Undeliverable:

Delivery has failed to these recipients or distribution lists:

'lorie@morris-brown.com'
Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.

The following organization rejected your message: mail.burnac.com.

  _____  

Sent by Microsoft Exchange Server 2007







Diagnostic information for administrators:

Generating server: mx1.sixls.com

lorie@morris-brown.com
mail.burnac.com #550 5.7.1 Message rejected due to content restrictions ##

Original message headers:

Received: from mx1.sixls.com ([10.1.11.71]) by mx1.sixls.com ([10.1.11.71])
 with mapi; Fri, 7 Oct 2011 06:56:50 -0400
From: Carlo Laporta <carlo.laporta@lipmanproduce.com>
To: "'lorie@morris-brown.com'" <lorie@morris-brown.com>
Disposition-Notification-To: Carlo Laporta <carlo.laporta@lipmanproduce.com>
Date: Fri, 7 Oct 2011 06:56:49 -0400
Subject:
Thread-Index: AcyE39BHRrw5py2/QsShtH0ethvRJw==
Message-ID: <F9EFB9C2F1C0AC4CAECCFFF526D667A0C3685E2BBE@mx1.sixls.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-vipre-scanned: 010E8D3B0029BF010E8E88
x-ninja-pim: Scanned by Ninja
x-ninja-attachmentfiltering: (no action)
acceptlanguage: en-US
Content-Type: multipart/alternative;
      boundary="_000_F9EFB9C2F1C0AC4CAECCFFF526D667A0C3685E2BBEmx1sixlscom_"
MIME-Version: 1.0

CALL THIS MESSAGE CL.one
0
NaplesFLDaveAuthor Commented:
ANother Failed Message: Different user

From: Microsoft Exchange
Sent: 10/06/11 12:51 PM
To: Bruce Ghiloni
Subject: Undeliverable: Test


Delivery has failed to these recipients or distribution lists:

'tony.baratta@jblaverdure.com'
Your message wasn't delivered because of security policies. Microsoft Exchange will not try to redeliver this message for you. Please provide the following diagnostic text to your system administrator.

The following organization rejected your message: mx4.b2b2c.ca.

  _____  

Sent by Microsoft Exchange Server 2007







Diagnostic information for administrators:

Generating server: mx1.sixls.com

tony.baratta@jblaverdure.com
mx4.b2b2c.ca #550 5.7.1 Rejected (100.00) - Retry with Cc: abuse@b2b2c.ca for analysis ##

Original message headers:

Received: from mx1.sixls.com ([10.1.11.71]) by mx1.sixls.com ([10.1.11.71])
 with mapi; Thu, 6 Oct 2011 12:51:00 -0400
From: Bruce Ghiloni <bruce.ghiloni@lipmanproduce.com>
To: "'tony.baratta@jblaverdure.com'" <tony.baratta@jblaverdure.com>
Date: Thu, 6 Oct 2011 12:51:00 -0400
Subject: Test
Thread-Topic: Test
Thread-Index: AcyESCA6N5vSNTyiTW+blhbUiFbjMw==
Message-ID: <A6722F31F6106849A4AE1B506A2B69D662B2F99942@mx1.sixls.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-ninja-pim: Scanned by Ninja
x-ninja-attachmentfiltering: (no action)
acceptlanguage: en-US
Content-Type: multipart/related;
      boundary="_004_A6722F31F6106849A4AE1B506A2B69D662B2F99942mx1sixlscom_";
      type="multipart/alternative"
MIME-Version: 1.0

Call this BG.one
0
scriven_jCommented:
I am a little confused, because these new messages have a different IP address for your server in the header:-

10.1.11.71

Any idea what that IP address is?  I don't think this is even a valid IP address (unless it is an internal address?)

BG.one says in the header:-

Retry with Cc: abuse@b2b2c.ca for analysis

So I would definitely send the same Email with a CC to abuse@b2b2c.ca so you get the reason for rejection.

I think you will have to bite the bullet though and speak to GoDaddy about the rDNS/PTR record though as this is all part of the jigsaw.
0
NaplesFLDaveAuthor Commented:
Yes. 10.1.11.71 is out internal Exchange.
0
scriven_jCommented:
OK - well the internal address in the mail header probably isn't helping matters, particularly as the server is still showing as mx1.sixls.com in the headers too (although the SPF should get round that side of things).

For completeness however, we should also make sure that mail.lipmanproduce.com is being shown in the headers instead of mx1.sixls.com.

From EMC, Exchange, Organization Configuration, Hub Transport

Go to the Send Connectors tab and look at the properties of your Send Connector and change the FQDN on the General tab to mail.lipmanproduce.com.
0
NaplesFLDaveAuthor Commented:
OK. I changed the FQDN in Exchange. Also, I figured out that one of the users errors were caused by the recieving companys' server not liking his JPG graphic under his e-mail signature.
I asked him to sed the message without any graphic or attachment and it went through OK.
That was( CL one) with content restrictions Error.

~Dave
0
PapertripCommented:
[root@broken ~]# dig mx lipmanproduce.com +short
10 mx1.sixls.com.
[root@broken ~]# dig mx1.sixls.com +short
74.118.233.14
[root@broken ~]# dig -x 74.118.233.14 +short
FL-14.233.118.74-usmetrocom.com.
[root@broken ~]# dig txt lipmanproduce.com +short
"v=spf1 mx a a:mail.lipmanproduce.com a:mx1.sixls.com a:lipmanproduce.com ip4:74.118.233.14/32 ~all"

Open in new window


If your sending server is mx1.sixls.com, then do the following:

The PTR record for 74.118.233.14 needs to be mx1.sixls.com.
Your SPF record syntax is horrid :p  Just make it look like this:
"v=spf1 ip4:74.118.233.14 ~all"

Open in new window


Those are your first steps, next would be DKIM signing, which I highly suggest.  However, the PTR and SPF changes should resolve most of your delivery issues.
0
PapertripCommented:
I had read through the earlier headers you posted, but not the last couple.
Received: from psmtp.com (64.18.2.131) by mail01.state.pa.us (172.19.223.36)
 with Microsoft SMTP Server (TLS) id 8.2.255.0; Fri, 7 Oct 2011 08:06:40 -0400
Received: from mx1.sixls.com ([74.118.233.14]) (using TLSv1) by
 exprod7mx173.postini.com ([64.18.6.14]) with SMTP;      Fri, 07 Oct 2011 12:06:39

Open in new window


mx1.sixls.com is relaying mails through Postini.  You need to add the Postini sending IP's to your SPF record if you are going to continue to relay through them.  The reason the mails you tested by sending to your Gmail account passed is because Postini didn't have to forward it to another external server, it just stayed within Google.  This is confirmed by the headers of the test mail, where it goes from mx1.sixls.com straight to your inbox.

Delivered-To: naplesfoxpro@gmail.com
Return-Path: <david.king@lipmanproduce.com>
Received: from mx1.sixls.com ([74.118.233.14])
        by mx.google.com with ESMTPS id w12si890912anl.61.2011.10.06.12.27.52
        (version=TLSv1/SSLv3 cipher=OTHER);
        Thu, 06 Oct 2011 12:27:52 -0700 (PDT)
Received-SPF: pass (google.com: domain of david.king@lipmanproduce.com designates 74.118.233.14 as permitted sender) client-ip=74.118.233.14;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of david.king@lipmanproduce.com designates 74.118.233.14 as permitted sender) smtp.mail=david.king@lipmanproduce.com

Open in new window


Your SPF record for lipmanproduce.com should look like the this:
"v=spf1 ip4:74.118.233.14 include:spf.postini.com ~all"

Open in new window


Realizing now that you are relaying through Postini - you do NOT have to do anything to the PTR record for 74.118.233.14 -- just keep that IP in your SPF record so that mail to Google will pass.  All other mails will ultimately be sent from a Postini IP.


0
scriven_jCommented:

Papertrip - I don't think you have read through the whole thread.

As far as they are aware Postini is not being used.  

Also there was not an SPF record previously and the one that you are criticising was my suggestion.

lipmanproduce.com is the website and resolves to a different server hence why there are the mail.lipmanproduce.com records.
0
PapertripCommented:
Hi Scriven,

The whole Postini thing is only because state.pa.us is using it for their MX, so yeah that was my bad I should've checked that before posting my 2nd reply, jumped to a false conclusion there.

So, that being said, everything in my first answer should be done instead :)
If your sending server is mx1.sixls.com, then do the following:

The PTR record for 74.118.233.14 needs to be mx1.sixls.com (or mail.lipmanproduce.com if you configured Exchange to use that).
Your SPF record should look like this:
"v=spf1 ip4:74.118.233.14 ~all"

Open in new window

lipmanproduce.com is the website and resolves to a different server hence why there are the mail.lipmanproduce.com records.
There is no problem leaving the sending server configured as mx1.sixls.com, what needs to be fixed is the PTR for 74.118.233.14 to match that.  However even if he did configure the server to send from mail.lipmanproduce.com and setup the PTR for 74.118.233.14 to match, the SPF record would still only need to have 74.118.233.14 in it if that is his only sending IP.
0
scriven_jCommented:

The only reason I left the mx1.sixls.com was because this was the original mail domain is stil being used, just isn't the primary address and I wanted to leave it so it would still work properly if this functionality was implemented again in the future.

mail.lipmanproduce.com was just to differentiate from the website and to tie in with the primary Email address.

Maybe not all necessary, but more logical IMHO!
0
PapertripCommented:
I think I know what you are saying.  You want some sort of association between the IP and lipmanproduce.com ?  That is already taken care of since the SPF record is for the domain lipmanproduce.com

Putting anything aside from his sending IP(s) in his SPF record is unnecessary.  Having "mx a a:mail.lipmanproduce.com a:mx1.sixls.com a:lipmanproduce.com" will require 5 additional lookups to made for each SPF check, 3 of which resolve to 74.118.233.14, and the other 2 resolve to an IP that does not send mail.  All that should be in the SPF record is "v=spf1 ip4:74.118.233.14 ~all".
0
NaplesFLDaveAuthor Commented:
Wow. OK. I nguess I'll change my SPF record for my Lipmanproduce.com to read:
v=spf1 ip4:74.118.233.14 ~all

I had changed my FQDN on my exchange serversen connector  to lipmanproduce.com and then I started getting errors from some sources because of a certificate error. I put it back to mx1.sixls.com.

~Dave
0
scriven_jCommented:
I think the SPF discussion detracts from the real issue which is that the PTR record bears no relation to either of your domains and it is this reverse lookup which is causing the delivery problems.

With regards to the certificate, any alternate address would need to be added to the certificate.

I apologise as I guess I made things more complicated than they needed to be in my attempts to make things look more logical.  Change the PTR record as outlined by Papertrip in comment 36936266, then you will not need to change the certificate and the delivery problems should go away.
0
PapertripCommented:
I think the SPF discussion detracts from the real issue which is that the PTR record bears no relation to either of your domains and it is this reverse lookup which is causing the delivery problems.
PTR record does not need to be related to any domains, all it has to do is match the A record for that IP.
0
NaplesFLDaveAuthor Commented:
I am a bit confused now.
My Send Connector on my exchange server is back to mx1.sixls.com.
Now my certificate is happy.
I put my spf to  v=spf1 ip4:74.118.233.14 ~all     in GoDaddy SPF section for lipmanproduce.com
I still have an A record in Godaddy DNS for mail.lipmanproduce.com at 74.118.233.14

Is the PTR you are discusing the mail.lipmanproduce.com one or a Reverse pointer or ?

~Dave
0
PapertripCommented:
Here is the summary of what needs to be done.

Setup Exchange to be mx1.sixls.com
Create PTR record for 74.118.233.14 that points to mx1.sixls.com
Create SPF record for lipmanproduce.com containing "v=spf1 ip4:74.118.233.14 ~all"


0
PapertripCommented:
SPF record looks good.
[root@broken ~]# dig txt lipmanproduce.com +short
"v=spf1 ip4:74.118.233.14 ~all"

Open in new window


Forward lookup is good.
[root@broken ~]# dig mx1.sixls.com +short
74.118.233.14

Open in new window

Reverse lookup still needs to be fixed.
[root@broken ~]# dig -x 74.118.233.14 +short
FL-14.233.118.74-usmetrocom.com.

Open in new window


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NaplesFLDaveAuthor Commented:
so I need to have GoDaddy add a reverse lookup DNS Pointer that says 74.118.233.14 is mx1.sixls.com  and that's it?

~Dave
0
PapertripCommented:
No because GoDaddy is not authoritative for 233.118.74.in-addr.arpa, usmetrocom.com is.  It is they who need to update the PTR record for you.
[root@broken ~]# dig -x 74.118.233.14

;; QUESTION SECTION:
;14.233.118.74.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
14.233.118.74.in-addr.arpa. 37208 IN    PTR     FL-14.233.118.74-usmetrocom.com.

;; AUTHORITY SECTION:
233.118.74.in-addr.arpa. 37208  IN      NS      dns1.usmetrocom.com.
233.118.74.in-addr.arpa. 37208  IN      NS      dns2.usmetrocom.com.
233.118.74.in-addr.arpa. 37208  IN      NS      dns3.usmetrocom.com.

Open in new window

0
NaplesFLDaveAuthor Commented:
OK. Thanks.
0
PapertripCommented:
Are you all clear on this now?  Once the PTR is updated you should be good to go.
0
NaplesFLDaveAuthor Commented:
Yes.
Great help from yawl (southern) !

~Dave
0
NaplesFLDaveAuthor Commented:
Thank you to all who joined in for this.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.