Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Customer's Exchange doesn't get through to a government mail server (helo or mx configuration is wrong)

Posted on 2014-03-01
9
Medium Priority
?
938 Views
Last Modified: 2014-03-13
Hello Everyone,

I have a customer who have Exchange 2010 running and configured well and pretty much working fine with all public mail providers except with couple of governments mail server the email gets bounced with the following message.

mail01.verwalt-berlin.de hat diesen Fehler ausgegeben:
<poststelle@fa-prenzlauer-berg.verwalt-berlin.de>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: mail.domain.org, MTA hostname: port-87-193-172-42.static.qsc.de[87.ADSL_IP] (helo/hostname mismatch)


Customer is using a PPPoE Dialup connection to their ISP. With that Connection we are receiving a static public IP Address . their Mailserver is mail.domain.org and is configured on a different IP address 212.x.x.x. If we make a test with Microsoft's test analyzer  http://testexchageconnectivity.com , we get all green marked. But it looks like some Servers are not looking to the 212er IP, and doing instead of that looking to 87er IP. Is there anything that has to been changed in our Configuration?
 
Just to clear their network topology. Customer has Pfsense configured as their main router with 2 ADSL connections, and TMG is acting as a DMZ and Exchange Edge role as well with forefront gateway configured too.

the local hostname of Exchange Hub transport is post.domain.org, the Edge which has TMG on it and acting as an Exchange role as well has a hostname "mail.domain.org".

Here is the bounce message from the receiving Mailserver which is rejecting their eMails:

Note: We have checked if the IPs are on the black list but they are not, we also spoke to the ISP and he confirmed its not either on their black list too.
would appreciate any thoughts?


(sorry it's in german, but I included translation below)  

mail01.verwalt-berlin.de hat Ihre Nachricht an die folgende E-Mail-Adresse zurückgewiesen:
 
poststelle@fa-prenzlauer-berg.verwalt-berlin.de (poststelle@fa-prenzlauer-berg.verwalt-berlin.de)
 
Ihre Nachricht wurde aufgrund eines Berechtigungs- oder Sicherheitsproblems nicht zugestellt. Möglicherweise wurde sie von einem Moderator zurückgewiesen, die Adresse akzeptiert nur E-Mails von bestimmten Absendern oder die Übermittlung wurde durch eine andere Einschränkung verhindert.

(Your message was not delivered due to a permission or security issue. It may have been rejected by a moderator, the address will only accept emails from specific senders or the transmission was prevented by another constraint.)
 
   
Diagnoseinformationen für Administratoren:
 
Generierender Server: mail.domain.org
 
poststelle@fa-prenzlauer-berg.verwalt-berlin.de
mail01.verwalt-berlin.de #550 5.7.1 <poststelle@fa-prenzlauer-berg.verwalt-berlin.de>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: mail.domain.org, MTA hostname: port-87-193-172-42.static.qsc.de[87.x.x.x] (helo/hostname mismatch) ##
 
Ursprüngliche Nachrichtenköpfe:
 
Received: from POST.domain.org (192.168.111.3) by mail.domain.org
(192.168.111.1) with Microsoft SMTP Server (TLS) id 14.3.174.1; Thu, 20 Feb
2014 18:34:00 +0100
Received: from POST.domain.org ([fe80::ec31:bef6:f37d:effe]) by
post.domain.org ([fe80::ec31:bef6:f37d:effe%13]) with mapi id
14.03.0174.001; Thu, 20 Feb 2014 18:34:00 +0100
From: name surname <name_surname@domain.org>
To: "poststelle@fa-prenzlauer-berg.verwalt-berlin.de"
            <poststelle@fa-prenzlauer-berg.verwalt-berlin.de>
Subject: Test
Thread-Topic: Test/  hier:
SEPA-Lastschriftmandat
Thread-Index: Ac8twHfIAAZdRDtERce7bNrXMlLSwQ==
Disposition-Notification-To: Name Surname
            <name_surname@domain.org>
Return-Receipt-To: <name_surname@domain.org>
Date: Thu, 20 Feb 2014 17:33:59 +0000
Message-ID: <75260A919C08394988275FD04BDA0DE5164BB0AA@post.domain.org>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.111.49]
Content-Type: application/pkcs7-mime; smime-type=signed-data;
            name="smime.p7m"
Content-Disposition: attachment; filename="smime.p7m"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Return-Path: name_surname@domain.org

Open in new window

0
Comment
Question by:Mohammed Hamada
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 20

Expert Comment

by:strivoli
ID: 39897104
Your PTR might not be the same as the one in the SMTP Banner.
Run a SMTP test using www.mxtoolbox.com. Thanks.
0
 
LVL 24

Author Comment

by:Mohammed Hamada
ID: 39897119
Hi Strivoli,

I ran SMTP test and here's what I got


smtp:212.x.x.x   Monitor This    smtp  
220 mail.domain.org Microsoft ESMTP MAIL Service ready at Sat, 1 Mar 2014 12:46:27 +0100

Test	Result	
	SMTP TLS	Warning - Does not support TLS.	 More Info
	SMTP Transaction Time	8.533 seconds - Not good! on Transaction Time	 More Info
	SMTP Reverse Banner Check	OK - 212.x.x.x resolves to mail.domain.org
	SMTP Reverse DNS Mismatch	OK - Reverse DNS matches SMTP Banner	
	SMTP Connection Time	0.967 seconds - Good on Connection time	
	SMTP Open Relay	OK - Not an open relay.	
Session Transcript:
Connecting to 212.x.x.x

220 mail.domain.org Microsoft ESMTP MAIL Service ready at Sat, 1 Mar 2014 12:46:27 +0100 [780 ms]
EHLO MXTB-PWS3.mxtoolbox.com
250-mail.domain.org Hello [64.20.227.133]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING [796 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 Sender OK [796 ms]
RCPT TO: <test@example.com>
550 5.7.1 Unable to relay [5803 ms]

MXTB-PWS3v2 9641ms

Open in new window

0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39897366
- your helo name should match the PTR associated with your external IP
- there should be a single PTR record
- the helo name and the PTR associated with the IP must correspond to an A record that includes the outgoing IP

the error is quite explicit : MTA helo: mail.domain.org, MTA hostname: port-87-193-172-42.static.qsc.de[87.x.x.x] (helo/hostname mismatch)

what they call hostame is the (dynamic) ptr associated with your external ip

the email did transit through the 87 address so you have a network configuration problem if it the exchange server is supposed to send email through 212.xxx
maybe the 212 link was down at that time ?

from what i gather, the test you have run mktoolbox tests for incoming email config. your problem is outgoing so this is loosely related.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 24

Author Comment

by:Mohammed Hamada
ID: 39897882
Hi Skullnobrains,

in fact there's no network problem! the emails are all going out just fine. only to this particular government e-mail destination we get rejected and mail bounces back with the posted error msg.

I have checked my customer's PTR dns configuration and it has the right IP which is bind to the mail.domain.org and it's only single PTR record as the following:
domain.org      text = "v=spf1 mx ip4:212.x.x.x a:port-87-x-x-x.static.qsc.de -all"

I just didn't get your last point
- the helo name and the PTR associated with the IP must correspond to an A record that includes the outgoing IP

Do you mean here that in the txt it should include the A name instead of the IP that points to my Exchange server or TMG?

Is this correct record or not?
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 39898301
the helo name is mail.domain.org
the ptr is port-87-193-172-42.static.qsc.de

no they do not match

most servers will not care, properly configured filtering servers will increment the probability you are a spammer and possibly trigger greylisting or tarpiting procedures, and self-assured configured servers will reject the mail altogether

if mail.domain.com is the ptr for your 212 address, you just need the mailflow to flow through 212 instead of 87
if not you'll be in trouble with the other address as well

Do you mean here that in the txt it should include the A name instead of the IP that points to my Exchange server or TMG?

this is what I was talking about (it's ok for now)

87-193-172-42 IN PTR --> port-87-193-172-42.static.qsc.de
port-87-193-172-42.static.qsc.de IN A --> 87-193-172-42

i was not talking about your spf record which looks good enough. i used the word "include" because the IN A query may resolve to several IP addresses. it is ok as long as the proper address is among them
0
 
LVL 24

Author Comment

by:Mohammed Hamada
ID: 39898431
This sounds great, but how do I change the PTR in the public DNS ?

The ptr is actually not correct that's right. it doesn't match the IP of the mail.domain.com! that's Pfsense's public IP address.

If I can't change the PTR on the public DNS, do I need to change the mailflow settings on Exchange EMC send connector and change it to route using the mail.domain.com IP (212.x.x.x) right??

thanks
0
 
LVL 27

Accepted Solution

by:
skullnobrains earned 2000 total points
ID: 39898474
This sounds great, but how do I change the PTR in the public DNS ?

your ISP maintains the PTR. it is possible that you can't change it or rather cannot without paying an extra fee. anyway, ask them. usually business connections  with fixed ips will allow you to set the PTR.

like i said before, if your email is supposed to flow through 212 (as suggested in your initial question), maybe that address has a proper ptr that matches your helo. i can't check since you don't give information. if that is the case, you probably misconfigured your pfsense and accidentally let the mail flow through the wrong address. a policy route should exist to route the mail trough 212 if that is the expected behavior

The ptr is actually not correct that's right. it doesn't match the IP of the mail.domain.com! that's Pfsense's public IP address.

the IP of mail.domain.com is irrelevant.

the PTR should match the HELO sent by your server. you can configure your server to send "HELO port-87-193-172-42.static.qsc.de" and things will work when mail flows through the corresponding address

in case this is unclear, "match" in the previous sentence and above posts means "be the same" and not "resolve to the same ip"

If I can't change the PTR on the public DNS, do I need to change the mailflow settings on Exchange EMC send connector and change it to route using the mail.domain.com IP (212.x.x.x) right??

you can change the HELO sent by the exchange sever like i said above.

"route using the mail.domain.com IP" in exchange does not mean anything to me. maybe it is meaningfull in your setup. i'd assume both external addresses are connected to your pfsense so redirecting traffic through an ip or another should be done with a policy route in pfsense. if that is not the case, i do not have enough information to answer. i'd also need to know what is the ptr of the 212 address

---

a proper config should be the following :

exchange sends "HELO mail.domain.com"
the PTRs of both your external IPs is set to mail.domain.com
mail.domain.com resolves to both your external ips and possibly a few others

with this config, your mail will flow properly through either address

---

by changing the helo in exchange like suggested above, you can make the email flow through the 87 address properly but it will not work if your mail flows through the 212. since i do not know the ptr associated with the 212 address, i cannot determine if things would work properly if you redirected your outgoing mail traffic through this address with your current config.

---

if you are unsure about the rules that apply, refer to the first 3 lines of my first post
0
 
LVL 24

Author Comment

by:Mohammed Hamada
ID: 39910256
Hi skullnobrains

I have sent an e-mail to the customer requesting remote connection with him to try and fix the issue but I didn't get a reply yet.

I'll get back to you as soon as he gets back to me.
0
 
LVL 24

Author Closing Comment

by:Mohammed Hamada
ID: 39926230
The issue is related to PTR as pointed out by EE.
Thanks
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
Want to know how to use Exchange Server Eseutil command? Go through this article as it gives you the know-how.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question