Solved

Can't send email to a couple clients

Posted on 2012-03-23
11
895 Views
Last Modified: 2012-04-03
One of my clients was having a problem sending mail to one domain.
I've been banging my head on this for a couple hours.  Originally it was a dns issue.  I resolved that, but now I'm not really sure what it is.  I think it's a postfix issue.

here is the error message we get

Last Error: 450 4.7.1 <xxxxxx@12thfloor.com.au>: Recipient address rejected: SPF-Result=ceelaw1.ceelaw.com.au: 'SERVFAIL' error on DNS 'SPF' lookup of 'ceelaw1.ceelaw.com.au'

ceelaw1.ceelaw.com.au resolves correctly.

here is our spf record: v=spf1 ip4:220.233.210.46 include:ceelaw1.ceelaw.com.au ~all

The only thing I can think of is that the reverse lookup on 220.233.210.46 is not ceelaw1.ceelaw.com.au, but it's 46.210.233.220.static.exetel.com.au

Hoping someone could help.
0
Comment
Question by:Livetechsupport
11 Comments
 
LVL 11

Expert Comment

by:TheGeezer2010
ID: 37757218
0
 

Author Comment

by:Livetechsupport
ID: 37757233
Thanks for the response, but I don't have access to the postfix server, that belongs to the receipient...
Everything is good with our domain other then the reverse DNS..


Mark
0
 
LVL 11

Accepted Solution

by:
TheGeezer2010 earned 500 total points
ID: 37757250
The problem is that their Postfix is hard rejecting your messages when it should be soft-rejecting can you suggest the workround to the remote mail admin ?
0
 

Author Comment

by:Livetechsupport
ID: 37757273
I have sent them an email a few days ago, no response.
I just wanted another set of eyes to look at it in case I was missing something.
I can't believe I'd be the only person with this problem trying to send to them.

Mark
0
 
LVL 11

Expert Comment

by:TheGeezer2010
ID: 37757339
Normally, if your FQDN resolves to your IP specified then it will pass. It is possible however on devices to configure it to ALSO check the reverse IP as per this link :-

https://community.mcafee.com/message/169074

Could you not configure this so that whoever holds your external DNS records could create a PTR record to match the IP for this domain ? Even if it means changing your SPF record to resolve to the 46. IP address ?

Other than that, it is down to the remote messaging admin.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 12

Expert Comment

by:DLeaver
ID: 37757600
Firstly I would address your SPF record, I'm not going to post the MS link to the SPF wizard as Papertrip will be on my case ;-) ...(although he does have a point)

... But look at this current open question and follow Papertrips instructions here

http://www.experts-exchange.com/Networking/Protocols/DNS/Q_27643172.html

Also change the PTR by contacting your ISP as currently you have their default assigned which is also causing you an issue
0
 

Author Comment

by:Livetechsupport
ID: 37757765
I will try and contact the isp to get the ptr record changed.
I did have my ptr record with only the ip address before, I added the include section recently, didn't make a difference.

Thanks for all the help

Mark
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 37758523
You don't need the include mechanism in your SPF record at all if you've only got the one outbound mail server.  That mechanism is for including another domain's SPF entries within yours, and since you've specified a hostname (which does not have its own SPF record) in that mechanism rather than a domain, that may very well be what's causing the problem: it can't look up an SPF record for the domain ceelaw1.ceelaw.com.au, because no such thing exists.

I'd remove include:ceelaw1.ceelaw.com.au from your SPF record entirely and test again.
0
 
LVL 11

Expert Comment

by:TheGeezer2010
ID: 37763080
Good point drDave
0
 

Author Comment

by:Livetechsupport
ID: 37763916
I got a response from the mailserver admin that our mail was being rejected because we had an ip address instead of a host name for our name servers.

Hi Mark,
The error is occurring because the NS records for that domain are invalid.



;; QUESTION SECTION:
;ceelaw.com.au.                 IN      NS

;; ANSWER SECTION:
ceelaw.com.au.          86400   IN      NS      27.109.109.107.

;; Query time: 8 msec
;; SERVER: 27.109.109.107#53(27.109.109.107)
;; WHEN: Mon Mar 26 10:46:18 2012
;; MSG SIZE  rcvd: 59


NS records must be domain-names (not IP addresses)

So I'll try and resolved that issue and let you all know how it works out.

Thanks,

Mark
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37764419
While having an IP in the data portion of an NS record is not RFC compliant, it is not the source of this particular problem.

The problem here as previously mentioned is the include mechanism in your SPF record, as there is no SPF record for ceelaw1.ceelaw.com.au.

FYI while having ~all does mean softfail, it does not mean that the receiving server will not ultimately reject the message.  Also a 4xx reply is not a hardbounce but rather a softbounce.

DLeaver and DrDave are correct.

[root@broken ~]# dig txt ceelaw1.ceelaw.com.au

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> txt ceelaw1.ceelaw.com.au
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64950
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ceelaw1.ceelaw.com.au.		IN	TXT

;; AUTHORITY SECTION:
ceelaw.com.au.		10474	IN	SOA	ns1.linode.com. luckystunter.gmail.com. 2012032264 14400 14400 1209600 86400

;; Query time: 1 msec

Open in new window

0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now