Solved

reverse DNS does not match SMTP banner

Posted on 2015-01-14
18
502 Views
Last Modified: 2015-01-20
Whilst carrying out some routine diagnostic work for our Microsoft Windows 2012 server  running Exchange 2010, I was running MXTOOLBOX.com which produced the following results :-


SMTP Reverse DNS Mismatch
 
Warning - Reverse DNS does not match SMTP Banner
 
 More Info

SMTP Transaction Time
 
8.315 seconds - Not good! on Transaction Time
 
More Info

SMTP Banner Check
 
OK - xxx.30.36.xx resolves to autodiscover.domainname.co.uk

 
SMTP TLS
 
OK - Supports TLS.
 

SMTP Connection Time
 
0.905 seconds - Good on Connection time
 

I am a little confused about what our reverse DNS should point to??

Our smtp mail service is configured as mail.domainname.co.uk

We also have an A host record pointing to autodiscover.domainname.co.uk

The SMTP banner is reorted by MXTOOLBOX as being autodiscover.domainname.co.uk

Do I get our host to set our reverse DNS to resolve to mail.domainname.co.uk ie our standard smtp or do I need it set to autodiscover.domainname.co.uk which is what the MXTOOLBOX.COM says our SMTP banner resolves to??

Any advisw would be much appreciated.

Thanks







SMTP Open Relay
 
OK - Not an open relay.
0
Comment
Question by:nigelbeatson
  • 9
  • 8
18 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40549215
You need to have the following...
A (host) record = mail.domain.com
Reverse (PTR) = x.x.x.x (resolving to mail.domain.com)
CNAME Record  = Autodiscover.domain.com (pointing to mail.domain.com)

Those are the entries you should have in your external DNS settings.

Will.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40549748
Hi Nigel,

Firstly, ignore the MXToolbox results as it can't report correctly on an Exchange 2007 / 2010 / 2013 server because you SEND via your SEND connector and it tests your RECEIVE connector, so the result is wrong.

To test this you can use nslookup from a command prompt:

nslookup mail.yourdomain.com (or whatever your FQDN is)

Should reply with an IP Address e.g., 123.123.123.123

Then type:

nslookup 123.123.123.123

It should reply with mail.yourdomain.com (or whatever your FQDN is).

If these don't match, then you need to change one or the other.  The simpler one is the Reverse DNS record which is a case of calling your ISP and asking them to change it, but there must be a valid A record for your domain in existence or they won't set it up.

Alan
0
 

Author Comment

by:nigelbeatson
ID: 40551278
Thankyou for your reply.

Whilst working on this, I got some feedback from our host, as follows :-

PTR for xx.30.xx.26 resolves correctly

This however, doesn't match the SMTP banner which is the first message sent from your mail server when an smtp session is made.

You can see this by going to a command prompt and

telnet xx.30.xx.26 25

you will get

220 fsams2.fsa1.local this is the smtp banner the error is referring to.


I am getting a liitle confused as to what I need to do, if anything, but I just dont like to see such warnings.

Alan, I am not ignoring what you have written, but I thought I would let you know what our host has said to see if it fits in with what you are suggesting.

Any advice appreciated.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40551300
Check the FQDN on your Default SEND connector.

Telnetting TO your server will connect you to your RECEIVE connector which will report the wrong name - but it isn't the connector that you send from so is irrelevant.

Alan
0
 

Author Comment

by:nigelbeatson
ID: 40551316
OK. Will do. Thanks
0
 

Author Comment

by:nigelbeatson
ID: 40553215
I have followed your instructions alan, and there seems to be a variation in what we need.

Microsoft Windows [Version 6.2.9200]
(c) 2012 Microsoft Corporation. All rights reserved.

C:\Users\administrator.FSA1>NSLOOKUP mail.domainname.co.uk
Server:  fsafs1.fsa1.local
Address:  192.168.1.200

Name:    mail.domainname.co.uk
Address:  192.168.1.125


C:\Users\administrator.FSA1>nslookup 192.168.1.125
Server:  fsafs1.fsa1.local
Address:  192.168.1.200

Name:    fsams2.fsa1.local
Address:  192.168.1.125


When I run nslookup on the other local IP address, we get :-

C:\Users\administrator.FSA1>nslookup 192.168.1.200
Server:  fsafs1.fsa1.local
Address:  192.168.1.200

Name:    fsafs1.fsa1.local
Address:  192.168.1.200


how do we change the resolution from the local name to respond with our smtp name mail.domainname.co.uk

we currently have 2 servers :-

fsafs1 which is our domain controller

and

fsams2 which is our mail server.

will making changes in this way affect any of the local operations?

Many thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40553262
Okay - you seem to have DNS set up internally to resolve the mail.domain.com which will give you results internally which won't help you.

Can you try this from a location outside your domain (office) please and you will see different results.

Any of the following IP Addresses are internal (Private IP's) and won't help.

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

Alan
0
 

Author Comment

by:nigelbeatson
ID: 40553952
I have now run the checks from outside the domain, as follows :-


C:\Windows\System32>nslookup mail.domainname.co.uk
Server:  smartserv1.smart.local
Address:  192.168.2.7

DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
Name:    mail.domainname.co.uk
Address:  xx.30.xx.26


C:\Windows\System32>nslookup xx.30.xx.26
Server:  smartserv1.smart.local
Address:  192.168.2.7

Name:    MAIL.domainname.CO.UK
Address:  xx.30.xx.26

This now appears to be what you suggested it should be??


I still get a warning when I run MXTOOLBOX though.


SMTP Reverse DNS Mismatch
 
Warning - Reverse DNS does not match SMTP Banner
 
 More Info


SMTP Transaction Time
 
8.268 seconds - Not good! on Transaction Time
 
 More Info


SMTP Banner Check
 
OK - xx.30.xx.26 resolves to mail.domainname.co.uk


SMTP TLS
 
OK - Supports TLS.
 

SMTP Connection Time
 
0.889 seconds - Good on Connection time
 

SMTP Open Relay
 
OK - Not an open relay.


I know that you said it may not be correct according to mxtoolbox, but I have recently asked our host to set our external DNS as follows :-

A (host) record = mail.domainname.co.uk Reverse (PTR) = xx.30.xx.26 (resolving to mail.domainname.co.uk) CNAME Record = autodiscover.domainname.co.uk


I connect via remote desktop using owamail.domainname.co.uk and am a little confused as to which is the best / correct name for us??

ie mail.domainname.co.uk or owamail.domainname.co.uk

I have also noticed that I cannot connect to owa using either of the 2 names above

ie
https://owamail.domainname.co.uk/
or
https://mail.domainname.co.uk/

Can you assist in helping me to understand what our server was set up to use, and which name we should be using?

mail is working so I dont want to break it, but I have confusion over how this server should be set. We seem to recall that we have used owamail for a few years, but i think the new windows 2012 server running exchange 2010 may use mail.

How can I clarify this?

Many thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40553964
Okay - that looks better.

What is important here is that the FQDN used on your SEND connector matches the Reverse DNS record for the IP Address and that the FQDN resolves publicly to the IP Address that you are sending from.

So - if your SEND Connector FQDN shows mail.domainname.co.uk and mail.domainname.co.uk resolve to xx.30.xx.26 and xx.30.xx.26 resolves to mail.domainname.co.uk then you are good to go.

Ignore MXToolbox - it only reports correctly for Exchange 2003.

OWA should resolve happily if you use https://mail.domainname.co.uk/owa - possibly others if you have other names that resolve to the same IP Address AND the SSL certificate has the FQDN in it.

Alan
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:nigelbeatson
ID: 40554023
Thanks Alan,

The problem I think may be that our SSL is set for owamail.domainname.co.uk (I have just checked an it is).

Should I just get our host to reset our dns using owamail. rather than just mail. so that it all matches?

like this?
A (host) record = owamail.domainname.co.uk Reverse (PTR) = xx.30.xx.26 (resolving to owamail.domainname.co.uk) CNAME Record = autodiscover.domainname.co.uk

Many thanks

Regards
Nigel
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40554028
When you send emails - you don't use your SSL certificate unless you use TLS authentication.

You can have owamail / mail / remote / bananas / sausages etc all pointing TO your server - that's perfectly fine and as long as you include the relevant names in your SSL certificate then OWA will not complain about certificate name mismatches, but that is a totally separate issue to Reverse DNS.

Alan
0
 

Author Comment

by:nigelbeatson
ID: 40554058
Sorry Alan, I confused the issue!

I realise that the SSL is a different issue but I feel we have got different names in use here and I wanted to centralise it all so to speak.

In our external DNS the MX record shows as mail.domainname.co.uk
we have an A Host record set to the same name mail.domainname.co.uk

They both point to our public IP

we have a cname set to autodiscover.domainname.co.uk


I had also asked our host to set e reverse DNS to mail.domainname.co.uk

My concern is that the SSL which sits on our Exchange 2010 server is configured as owamail.domainname.co.uk so dont we need the DNS which directs mail to the public IP of our server to be the same?

My idea was to make sure that all of our DNS entries and reverse DNS were set correctly so that we would not have problems with our mail being marked as SPAM, but it seems to have uncovered another issue which I am unsure about?

Sorry for jumping across, I just am so confused as to whether the external DNS needs to match the SSL, and once I have this set correctly, you have provided me with the tools to check the reverse DNS is also set correctly.

I really appreciate your assistance

Thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40554121
If email is directed to mail.domainname.co.uk and you have a single static IP, then if your SEND connector FQDN shows the same and Reverse DNS is also the same, then you are all set.

In terms of SSL, should have mail.domainname.co.uk, Autodiscover.domainame.co.uk and if you want, owamail.domainame.co.uk and/or owa.domainname.co.uk.

You don't have to have all the same names for all aspects of Exchange.

Also remember than as you have Exchange 2010, sending and receiving are split up on your server and are independent of each other and no-one cares what name you use to direct mail TO your server as long as it arrives.

Choosing a name to use for OWA is a cosmetic thing.

Alan
0
 

Author Comment

by:nigelbeatson
ID: 40557932
Sorry to persist with this alan, but there seems to be some changes which I cannot reconcile.

I have just run the commands again, for both mail.domainname.co.uk and owamail.domainname.co.uk with the following results :-


C:\Windows\System32>nslookup mail.domainname.co.uk
Server:  SMARTSERV1.smart.local
Address:  192.168.2.7

DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
Name:    mail.domainname.co.uk
Address:  xx.30.xx.26


C:\Windows\System32>nslookup xx.30.xx.26
Server:  SMARTSERV1.smart.local
Address:  192.168.2.7

Name:    owaMAIL.domainname.CO.UK
Address:  xx.30.xx.26


C:\Windows\System32>nslookup owamail.domainname.co.uk
Server:  SMARTSERV1.smart.local
Address:  192.168.2.7

DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
Name:    owamail.domainname.co.uk
Address:  xx.30.xx.26


C:\Windows\System32>nslookup xx.30.xx.26
Server:  SMARTSERV1.smart.local
Address:  192.168.2.7

Name:    owaMAIL.domainname.CO.UK
Address:  xx.30.xx.26


When I use mxtoolbox I can only see one MX / A Host record for mail.domainname.co.uk, with no mention of owamail.domainname.co.uk

I can see a host records in our local DNS, but I am just so confused as to how the owamail.domainname.co.uk finds its way to our public IP address, when I can't see it listed in our external DNS??

is the external DNS case sensitive, as I notice it replys with owaMAIL.domainname.co.uk not owamail.domainname.co.uk


I really dont want to over complicate things as it is working, but I just cant work out what controls the names of our mail service?

As  understood it we define an MX / A Host record ie owamail.domainname.co.uk which points to our mail server public IP. Therefore whenever any mail arives at our domain host it is forwarded on to our mail server public IP.

Can I presume that our server will receive any mail sent to it?

is the A host record at our external dns only relevant when we use the name owamail.domainname.co.uk ie with OWA?

Where is the resolution for owamail.domainname.co.uk coming from? If its not coming from our external DNS, does this mean it is picked up from our local DNS? If so what controls what name it is resolved to? I have both mail.domainanme.co.uk and owamail.domainname.co.uk defined in our local DNS, but I would like to know where the resolution comes from??

I am just missing something which I am certain once you point it out will become blatantly obvious, but I am just a little lost at the moment.

Any advice you can give, would be appreciated.

Many thanks
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 40559408
Q: When I use mxtoolbox I can only see one MX / A Host record for mail.domainname.co.uk, with no mention of owamail.domainname.co.uk

A: You only have one MX record - which is fine.  owamail is just an A record (pointer) not an MX record so that's perfectly fine / normal.

Q: I can see a host records in our local DNS, but I am just so confused as to how the owamail.domainname.co.uk finds its way to our public IP address, when I can't see it listed in our external DNS??

A: Internal DNS will be resolved using the record you have set for it.  Publicly you probably have a * (default) A record that resolves anything that isn't specified as an A record to the same IP Address.  Try resolving banana.domainname.co.uk and see if it shows the same IP Address as owamail.domainname.co.uk - it probably will.

Q: is the external DNS case sensitive, as I notice it replys with owaMAIL.domainname.co.uk not owamail.domainname.co.uk

A: No - dns isn't case sensitive (same as an email address!)

As I understood it we define an MX / A Host record ie owamail.domainname.co.uk which points to our mail server public IP. Therefore whenever any mail arives at our domain host it is forwarded on to our mail server public IP.

Q: Can I presume that our server will receive any mail sent to it?

A: Yes - it should receive all mail sent to it - it may then filter using Anti-Spam software (if installed / configured) and reject anything it doesn't like.

Q: is the A host record at our external dns only relevant when we use the name owamail.domainname.co.uk ie with OWA?

A: A name is just a pointer and you could use anything that resolves to the right IP Address (which seems likely that absolutely anything will resolve to your IP Address), but the SSL certificate will determine if the user sees an error or not based on the name used and the names included in the SSL certificate.

Q: Where is the resolution for owamail.domainname.co.uk coming from? If its not coming from our external DNS, does this mean it is picked up from our local DNS? If so what controls what name it is resolved to? I have both mail.domainanme.co.uk and owamail.domainname.co.uk defined in our local DNS, but I would like to know where the resolution comes from??

A: Hopefully answered above.

Hopefully that covers all of your questions.  If you are still unsure or have further questions, please feel free to ask.

Alan
0
 

Author Comment

by:nigelbeatson
ID: 40559433
thanks for your detailed answer, I really appreciate you taking the time to reply.

my only outstanding question would be what controls which name our nslookup resolves to?

when I run nslookup for both mail.domainname.co.uk and owamail.domainname.co.uk it always seems to produce the same IP address which in turn resolves to owamail.domainname.co.uk
not mail.domainname.co.uk.

what controls this?  ie what decided which name it is resolved to? mail or owamail


many thanks alan
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
ID: 40559463
My pleasure.

When you use nslookup with a Fully Qualified Domain Name (FQDN) outside of your network, it uses Public DNS to query the DNS records for your domain and will return the IP Address that matches the FQDN specified, or the 'default' result if a specific FQDN isn't setup.

When you use nslookup on an IP Address, it will return the Reverse DNS record assigned to the Fixed IP Address (if one exists), so if that always returns owamail.domainname.co.uk and you want it to show mail.domainname.co.uk, then you need to ask your ISP to change it.

That hopefully answers your 'what controls this' question.  If not - please let me know.

Alan
0
 

Author Comment

by:nigelbeatson
ID: 40559477
it does many thanks alan
regards
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Utilizing an array to gracefully append to a list of EmailAddresses
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
how to add IIS SMTP to handle application/Scanner relays into office 365.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now