Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Mail server Reverse DNS issues

Posted on 2013-10-24
19
Medium Priority
?
433 Views
Last Modified: 2013-10-26
I've got a customer that has multiple domain names. They wanted their primary domain changed. I followed a guide and made the appropriate changes to the Exchange server. Emails come and go properly for the most part but they can't send to some domains and mxtoolbox says: Warning - Reverse DNS does not match SMTP Banner.

I'm no DNS or Exchange expert so I need some help.

FQDN: x64exchserver.abc.123.com

Original primary email domain:
mx record: mail.123.com
A record: 111.111.111.111

New email domain:
mx record mail.456.com
A record: 111.111.111.111

What do I have the ISP setup for reverse DNS? The smtp banner is the FQDN: x64exchserver.abc.123.com but there isn't a DNS entry anywhere that matches that externally. Just mail.123.com.

Utterly confused.

Thank you.
0
Comment
Question by:Milord
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 9
19 Comments
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 2000 total points
ID: 39598377
Ignore mxtoolbox.com unless you have Exchange 2003 as it reports on your receive connector not your send connector.

The FQDN on your send connector should be mail.456.com and this should be what is set as reverse DNS by the ISP.

As long as 111.111.111.111 resolves to mail.456.com and mail.456.com resolves to 111.111.111.111 and reverse DNS is mail.456.com you are configured correctly.

Alan
0
 

Author Closing Comment

by:Milord
ID: 39598579
Thanks Alan. I didn't know that. Well, I still don't know why we can't send to a certain domain then.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39598683
I'd be happy to help see if I can figure out why if you have tried and given up.

Have you tried a manual telnet session to their mail server from your mail server to see what response you get?  It might reveal something interesting.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Milord
ID: 39598806
Thanks Alan.

I just tried that. I get no response from their first mail server. They have 3 mail servers that show up when I do an smtp test on mxtoolbox. I get the expected response from the other 2 servers.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39598843
Have you tried setting up a new SEND connector, adding the problem domain to that connector, then enabling Verbose Logging and setting up a folder to store those logs?

That way you will be able to readily run through the logs and see what is happening (assuming you speak SMTP)!!
0
 

Author Comment

by:Milord
ID: 39598860
Nope, that is above my Exchange knowledge. I'm a small town jack of all trades master of none IT guy. LOL. I'm not afraid to try though.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39598908
Okay - add a new SEND Connector using the Wizard in the Exchange Management Console> Organization Config> Hub Transport> Send Connectors> New Send Connector.

Run through the Wizard - Name it something like {ProblemDomainName} (replace that with the name of the problem domain) and leave Custom as the Connector Type, In the Address Space, add whatever.com (the problem domain name itself), use DNS to route the mail and then finish the wizard.

Then edit the SEND Connector, on the General Tab, change Protocol Logging Level to Verbose, and change the Maximum Send Size if you need to so that it matches your other SEND Connector.

Create a new folder (for example c:\smtp send logs) and then run the following Exchange Shell Command, replacing ServerName with the name of your Exchange Server:

Set-TransportServer “ServerName” -SendProtocolLogPath “c:\smtp send logs” -SendProtocolLogMaxFileSize 5MB -SendProtocolLogMaxDirectorySize 100MB -SendProtocolLogMaxAge 30.00:00:00

This will allow 5mb logs to be created in a folder with a maximum size of 100Mb (before files get overwritten) and will keep 30 days worth of info maximum - tweak accordingly if you want more or less time.

Then restart the Microsoft Exchange Transport Service, send a few test emails and then after a few minutes, check the log folder and open up the log and see what you can make of the logs.
0
 

Author Comment

by:Milord
ID: 39598975
Thank you for the detailed instructions Alan. I will follow them tomorrow and see what happens. I appreciate your help.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39598979
No problems - shout if you get stuck anywhere.  I will be zapping the CryptoLocker viruse tomorrow, so will have plenty of opportunity to help you as it isn't desperately challenging!
0
 

Author Comment

by:Milord
ID: 39598983
Dealing with that particular virus right now! Actually ended up wiping the machine as it encrypted all kinds of files, even files on network shares. Backups saved the day.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39599022
Yes - thank heavens for backups.

I wrote a few lines about cleaning it up here if you fancy a read:

http://alanhardisty.wordpress.com/2013/10/22/cryptolocker-ransom-virus-cleanup/
0
 

Author Comment

by:Milord
ID: 39602601
Nice right up Alan. I've just received my second call about that damn virus.

Anyway, back to my original problem. The mail host from the other company got back to us and this is what they said:
Our spam protection system employs fake MX`s.   Servers MX02.NICMAIL.ru and MX03.NICMAIL.ru always reject connections.  Only MX01.NICMAIL.ru receives mail.

To solve your problem, you need to change settings in the outgoing mail servers.
Inability to connect with  MX02.NICMAIL.ru and reply by MX03.NICMAIL.ru with the error code 4XX should not be treated as fatal, instead, attempts to send mail should continue to other servers listed in MX records.

What do I need to change in Exchange to have it continue sending to other servers in the MX records?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39602639
You can use the SEND Connector I suggested creating above and edit it to send direct to the valid (working MX Record) directly, rather than use DNS to figure it out.  That way you can cut out the false MX records and go straight to the working one.

Alan
0
 

Author Comment

by:Milord
ID: 39602650
I created the connector, under Network I picked Route mail through the following smart hosts and used MX01.NICMAIL.ru as the FQDN. Is that the correct setup?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39602665
Yep - that perfect.

Restart the Microsoft Exchange Transport Service to force the settings to be applied too.

Alan
0
 

Author Comment

by:Milord
ID: 39602671
Thanks Alan, I really appreciate your help. Now we'll see if it works!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39602809
Fingers crossed. Shout if it doesn't help, then at least we can look at the logs and find a reason.

Alan
0
 

Author Comment

by:Milord
ID: 39602863
It worked Alan, you are the man. Thank you very much.

James
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 39602988
Excellent - long may it continue to do so ;)

Best wishes

Alan
0

Featured Post

Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question