Solved

Customer's Exchange doesn't get through to a government mail server (helo or mx configuration is wrong)

Posted on 2014-03-01
9
871 Views
Last Modified: 2014-03-13
Hello Everyone,

I have a customer who have Exchange 2010 running and configured well and pretty much working fine with all public mail providers except with couple of governments mail server the email gets bounced with the following message.

mail01.verwalt-berlin.de hat diesen Fehler ausgegeben:
<poststelle@fa-prenzlauer-berg.verwalt-berlin.de>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: mail.domain.org, MTA hostname: port-87-193-172-42.static.qsc.de[87.ADSL_IP] (helo/hostname mismatch)


Customer is using a PPPoE Dialup connection to their ISP. With that Connection we are receiving a static public IP Address . their Mailserver is mail.domain.org and is configured on a different IP address 212.x.x.x. If we make a test with Microsoft's test analyzer  http://testexchageconnectivity.com , we get all green marked. But it looks like some Servers are not looking to the 212er IP, and doing instead of that looking to 87er IP. Is there anything that has to been changed in our Configuration?
 
Just to clear their network topology. Customer has Pfsense configured as their main router with 2 ADSL connections, and TMG is acting as a DMZ and Exchange Edge role as well with forefront gateway configured too.

the local hostname of Exchange Hub transport is post.domain.org, the Edge which has TMG on it and acting as an Exchange role as well has a hostname "mail.domain.org".

Here is the bounce message from the receiving Mailserver which is rejecting their eMails:

Note: We have checked if the IPs are on the black list but they are not, we also spoke to the ISP and he confirmed its not either on their black list too.
would appreciate any thoughts?


(sorry it's in german, but I included translation below)  

mail01.verwalt-berlin.de hat Ihre Nachricht an die folgende E-Mail-Adresse zurückgewiesen:
 
poststelle@fa-prenzlauer-berg.verwalt-berlin.de (poststelle@fa-prenzlauer-berg.verwalt-berlin.de)
 
Ihre Nachricht wurde aufgrund eines Berechtigungs- oder Sicherheitsproblems nicht zugestellt. Möglicherweise wurde sie von einem Moderator zurückgewiesen, die Adresse akzeptiert nur E-Mails von bestimmten Absendern oder die Übermittlung wurde durch eine andere Einschränkung verhindert.

(Your message was not delivered due to a permission or security issue. It may have been rejected by a moderator, the address will only accept emails from specific senders or the transmission was prevented by another constraint.)
 
   
Diagnoseinformationen für Administratoren:
 
Generierender Server: mail.domain.org
 
poststelle@fa-prenzlauer-berg.verwalt-berlin.de
mail01.verwalt-berlin.de #550 5.7.1 <poststelle@fa-prenzlauer-berg.verwalt-berlin.de>: Recipient address rejected: Mail appeared to be SPAM or forged. Ask your Mail/DNS-Administrator to correct HELO and DNS MX settings or to get removed from DNSBLs; MTA helo: mail.domain.org, MTA hostname: port-87-193-172-42.static.qsc.de[87.x.x.x] (helo/hostname mismatch) ##
 
Ursprüngliche Nachrichtenköpfe:
 
Received: from POST.domain.org (192.168.111.3) by mail.domain.org
(192.168.111.1) with Microsoft SMTP Server (TLS) id 14.3.174.1; Thu, 20 Feb
2014 18:34:00 +0100
Received: from POST.domain.org ([fe80::ec31:bef6:f37d:effe]) by
post.domain.org ([fe80::ec31:bef6:f37d:effe%13]) with mapi id
14.03.0174.001; Thu, 20 Feb 2014 18:34:00 +0100
From: name surname <name_surname@domain.org>
To: "poststelle@fa-prenzlauer-berg.verwalt-berlin.de"
            <poststelle@fa-prenzlauer-berg.verwalt-berlin.de>
Subject: Test
Thread-Topic: Test/  hier:
SEPA-Lastschriftmandat
Thread-Index: Ac8twHfIAAZdRDtERce7bNrXMlLSwQ==
Disposition-Notification-To: Name Surname
            <name_surname@domain.org>
Return-Receipt-To: <name_surname@domain.org>
Date: Thu, 20 Feb 2014 17:33:59 +0000
Message-ID: <75260A919C08394988275FD04BDA0DE5164BB0AA@post.domain.org>
Accept-Language: de-DE, en-US
Content-Language: de-DE
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.111.49]
Content-Type: application/pkcs7-mime; smime-type=signed-data;
            name="smime.p7m"
Content-Disposition: attachment; filename="smime.p7m"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Return-Path: name_surname@domain.org

Open in new window

0
Comment
Question by:Mohammed Hamada
  • 5
  • 3
9 Comments
 
LVL 19

Expert Comment

by:strivoli
ID: 39897104
Your PTR might not be the same as the one in the SMTP Banner.
Run a SMTP test using www.mxtoolbox.com. Thanks.
0
 
LVL 23

Author Comment

by:Mohammed Hamada
ID: 39897119
Hi Strivoli,

I ran SMTP test and here's what I got


smtp:212.x.x.x   Monitor This    smtp  
220 mail.domain.org Microsoft ESMTP MAIL Service ready at Sat, 1 Mar 2014 12:46:27 +0100

Test	Result	
	SMTP TLS	Warning - Does not support TLS.	 More Info
	SMTP Transaction Time	8.533 seconds - Not good! on Transaction Time	 More Info
	SMTP Reverse Banner Check	OK - 212.x.x.x resolves to mail.domain.org
	SMTP Reverse DNS Mismatch	OK - Reverse DNS matches SMTP Banner	
	SMTP Connection Time	0.967 seconds - Good on Connection time	
	SMTP Open Relay	OK - Not an open relay.	
Session Transcript:
Connecting to 212.x.x.x

220 mail.domain.org Microsoft ESMTP MAIL Service ready at Sat, 1 Mar 2014 12:46:27 +0100 [780 ms]
EHLO MXTB-PWS3.mxtoolbox.com
250-mail.domain.org Hello [64.20.227.133]
250-SIZE 10485760
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-AUTH
250-8BITMIME
250-BINARYMIME
250 CHUNKING [796 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 Sender OK [796 ms]
RCPT TO: <test@example.com>
550 5.7.1 Unable to relay [5803 ms]

MXTB-PWS3v2 9641ms

Open in new window

0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 39897366
- your helo name should match the PTR associated with your external IP
- there should be a single PTR record
- the helo name and the PTR associated with the IP must correspond to an A record that includes the outgoing IP

the error is quite explicit : MTA helo: mail.domain.org, MTA hostname: port-87-193-172-42.static.qsc.de[87.x.x.x] (helo/hostname mismatch)

what they call hostame is the (dynamic) ptr associated with your external ip

the email did transit through the 87 address so you have a network configuration problem if it the exchange server is supposed to send email through 212.xxx
maybe the 212 link was down at that time ?

from what i gather, the test you have run mktoolbox tests for incoming email config. your problem is outgoing so this is loosely related.
0
 
LVL 23

Author Comment

by:Mohammed Hamada
ID: 39897882
Hi Skullnobrains,

in fact there's no network problem! the emails are all going out just fine. only to this particular government e-mail destination we get rejected and mail bounces back with the posted error msg.

I have checked my customer's PTR dns configuration and it has the right IP which is bind to the mail.domain.org and it's only single PTR record as the following:
domain.org      text = "v=spf1 mx ip4:212.x.x.x a:port-87-x-x-x.static.qsc.de -all"

I just didn't get your last point
- the helo name and the PTR associated with the IP must correspond to an A record that includes the outgoing IP

Do you mean here that in the txt it should include the A name instead of the IP that points to my Exchange server or TMG?

Is this correct record or not?
0
Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

 
LVL 26

Expert Comment

by:skullnobrains
ID: 39898301
the helo name is mail.domain.org
the ptr is port-87-193-172-42.static.qsc.de

no they do not match

most servers will not care, properly configured filtering servers will increment the probability you are a spammer and possibly trigger greylisting or tarpiting procedures, and self-assured configured servers will reject the mail altogether

if mail.domain.com is the ptr for your 212 address, you just need the mailflow to flow through 212 instead of 87
if not you'll be in trouble with the other address as well

Do you mean here that in the txt it should include the A name instead of the IP that points to my Exchange server or TMG?

this is what I was talking about (it's ok for now)

87-193-172-42 IN PTR --> port-87-193-172-42.static.qsc.de
port-87-193-172-42.static.qsc.de IN A --> 87-193-172-42

i was not talking about your spf record which looks good enough. i used the word "include" because the IN A query may resolve to several IP addresses. it is ok as long as the proper address is among them
0
 
LVL 23

Author Comment

by:Mohammed Hamada
ID: 39898431
This sounds great, but how do I change the PTR in the public DNS ?

The ptr is actually not correct that's right. it doesn't match the IP of the mail.domain.com! that's Pfsense's public IP address.

If I can't change the PTR on the public DNS, do I need to change the mailflow settings on Exchange EMC send connector and change it to route using the mail.domain.com IP (212.x.x.x) right??

thanks
0
 
LVL 26

Accepted Solution

by:
skullnobrains earned 500 total points
ID: 39898474
This sounds great, but how do I change the PTR in the public DNS ?

your ISP maintains the PTR. it is possible that you can't change it or rather cannot without paying an extra fee. anyway, ask them. usually business connections  with fixed ips will allow you to set the PTR.

like i said before, if your email is supposed to flow through 212 (as suggested in your initial question), maybe that address has a proper ptr that matches your helo. i can't check since you don't give information. if that is the case, you probably misconfigured your pfsense and accidentally let the mail flow through the wrong address. a policy route should exist to route the mail trough 212 if that is the expected behavior

The ptr is actually not correct that's right. it doesn't match the IP of the mail.domain.com! that's Pfsense's public IP address.

the IP of mail.domain.com is irrelevant.

the PTR should match the HELO sent by your server. you can configure your server to send "HELO port-87-193-172-42.static.qsc.de" and things will work when mail flows through the corresponding address

in case this is unclear, "match" in the previous sentence and above posts means "be the same" and not "resolve to the same ip"

If I can't change the PTR on the public DNS, do I need to change the mailflow settings on Exchange EMC send connector and change it to route using the mail.domain.com IP (212.x.x.x) right??

you can change the HELO sent by the exchange sever like i said above.

"route using the mail.domain.com IP" in exchange does not mean anything to me. maybe it is meaningfull in your setup. i'd assume both external addresses are connected to your pfsense so redirecting traffic through an ip or another should be done with a policy route in pfsense. if that is not the case, i do not have enough information to answer. i'd also need to know what is the ptr of the 212 address

---

a proper config should be the following :

exchange sends "HELO mail.domain.com"
the PTRs of both your external IPs is set to mail.domain.com
mail.domain.com resolves to both your external ips and possibly a few others

with this config, your mail will flow properly through either address

---

by changing the helo in exchange like suggested above, you can make the email flow through the 87 address properly but it will not work if your mail flows through the 212. since i do not know the ptr associated with the 212 address, i cannot determine if things would work properly if you redirected your outgoing mail traffic through this address with your current config.

---

if you are unsure about the rules that apply, refer to the first 3 lines of my first post
0
 
LVL 23

Author Comment

by:Mohammed Hamada
ID: 39910256
Hi skullnobrains

I have sent an e-mail to the customer requesting remote connection with him to try and fix the issue but I didn't get a reply yet.

I'll get back to you as soon as he gets back to me.
0
 
LVL 23

Author Closing Comment

by:Mohammed Hamada
ID: 39926230
The issue is related to PTR as pointed out by EE.
Thanks
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now