Solved

Mail server Reverse DNS issues

Posted on 2013-10-24
19
422 Views
Last Modified: 2013-10-26
I've got a customer that has multiple domain names. They wanted their primary domain changed. I followed a guide and made the appropriate changes to the Exchange server. Emails come and go properly for the most part but they can't send to some domains and mxtoolbox says: Warning - Reverse DNS does not match SMTP Banner.

I'm no DNS or Exchange expert so I need some help.

FQDN: x64exchserver.abc.123.com

Original primary email domain:
mx record: mail.123.com
A record: 111.111.111.111

New email domain:
mx record mail.456.com
A record: 111.111.111.111

What do I have the ISP setup for reverse DNS? The smtp banner is the FQDN: x64exchserver.abc.123.com but there isn't a DNS entry anywhere that matches that externally. Just mail.123.com.

Utterly confused.

Thank you.
0
Comment
Question by:Milord
  • 10
  • 9
19 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 39598377
Ignore mxtoolbox.com unless you have Exchange 2003 as it reports on your receive connector not your send connector.

The FQDN on your send connector should be mail.456.com and this should be what is set as reverse DNS by the ISP.

As long as 111.111.111.111 resolves to mail.456.com and mail.456.com resolves to 111.111.111.111 and reverse DNS is mail.456.com you are configured correctly.

Alan
0
 

Author Closing Comment

by:Milord
ID: 39598579
Thanks Alan. I didn't know that. Well, I still don't know why we can't send to a certain domain then.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39598683
I'd be happy to help see if I can figure out why if you have tried and given up.

Have you tried a manual telnet session to their mail server from your mail server to see what response you get?  It might reveal something interesting.
0
 

Author Comment

by:Milord
ID: 39598806
Thanks Alan.

I just tried that. I get no response from their first mail server. They have 3 mail servers that show up when I do an smtp test on mxtoolbox. I get the expected response from the other 2 servers.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39598843
Have you tried setting up a new SEND connector, adding the problem domain to that connector, then enabling Verbose Logging and setting up a folder to store those logs?

That way you will be able to readily run through the logs and see what is happening (assuming you speak SMTP)!!
0
 

Author Comment

by:Milord
ID: 39598860
Nope, that is above my Exchange knowledge. I'm a small town jack of all trades master of none IT guy. LOL. I'm not afraid to try though.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39598908
Okay - add a new SEND Connector using the Wizard in the Exchange Management Console> Organization Config> Hub Transport> Send Connectors> New Send Connector.

Run through the Wizard - Name it something like {ProblemDomainName} (replace that with the name of the problem domain) and leave Custom as the Connector Type, In the Address Space, add whatever.com (the problem domain name itself), use DNS to route the mail and then finish the wizard.

Then edit the SEND Connector, on the General Tab, change Protocol Logging Level to Verbose, and change the Maximum Send Size if you need to so that it matches your other SEND Connector.

Create a new folder (for example c:\smtp send logs) and then run the following Exchange Shell Command, replacing ServerName with the name of your Exchange Server:

Set-TransportServer “ServerName” -SendProtocolLogPath “c:\smtp send logs” -SendProtocolLogMaxFileSize 5MB -SendProtocolLogMaxDirectorySize 100MB -SendProtocolLogMaxAge 30.00:00:00

This will allow 5mb logs to be created in a folder with a maximum size of 100Mb (before files get overwritten) and will keep 30 days worth of info maximum - tweak accordingly if you want more or less time.

Then restart the Microsoft Exchange Transport Service, send a few test emails and then after a few minutes, check the log folder and open up the log and see what you can make of the logs.
0
 

Author Comment

by:Milord
ID: 39598975
Thank you for the detailed instructions Alan. I will follow them tomorrow and see what happens. I appreciate your help.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39598979
No problems - shout if you get stuck anywhere.  I will be zapping the CryptoLocker viruse tomorrow, so will have plenty of opportunity to help you as it isn't desperately challenging!
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:Milord
ID: 39598983
Dealing with that particular virus right now! Actually ended up wiping the machine as it encrypted all kinds of files, even files on network shares. Backups saved the day.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39599022
Yes - thank heavens for backups.

I wrote a few lines about cleaning it up here if you fancy a read:

http://alanhardisty.wordpress.com/2013/10/22/cryptolocker-ransom-virus-cleanup/
0
 

Author Comment

by:Milord
ID: 39602601
Nice right up Alan. I've just received my second call about that damn virus.

Anyway, back to my original problem. The mail host from the other company got back to us and this is what they said:
Our spam protection system employs fake MX`s.   Servers MX02.NICMAIL.ru and MX03.NICMAIL.ru always reject connections.  Only MX01.NICMAIL.ru receives mail.

To solve your problem, you need to change settings in the outgoing mail servers.
Inability to connect with  MX02.NICMAIL.ru and reply by MX03.NICMAIL.ru with the error code 4XX should not be treated as fatal, instead, attempts to send mail should continue to other servers listed in MX records.

What do I need to change in Exchange to have it continue sending to other servers in the MX records?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39602639
You can use the SEND Connector I suggested creating above and edit it to send direct to the valid (working MX Record) directly, rather than use DNS to figure it out.  That way you can cut out the false MX records and go straight to the working one.

Alan
0
 

Author Comment

by:Milord
ID: 39602650
I created the connector, under Network I picked Route mail through the following smart hosts and used MX01.NICMAIL.ru as the FQDN. Is that the correct setup?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39602665
Yep - that perfect.

Restart the Microsoft Exchange Transport Service to force the settings to be applied too.

Alan
0
 

Author Comment

by:Milord
ID: 39602671
Thanks Alan, I really appreciate your help. Now we'll see if it works!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39602809
Fingers crossed. Shout if it doesn't help, then at least we can look at the logs and find a reason.

Alan
0
 

Author Comment

by:Milord
ID: 39602863
It worked Alan, you are the man. Thank you very much.

James
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39602988
Excellent - long may it continue to do so ;)

Best wishes

Alan
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now