Link to home
Start Free TrialLog in
Avatar of Mark
Mark

asked on

How to set up smtp 220 response banner

Our office is hosting its own DNS and mail server. We are running Slackware64 14.1 kernel 3.10.17, sendmail 8.14.9.

In running some tests (e.g. mbxtoolbox.com) I've determined that, "The SMTP banner issued by your email server did not contain the hostname we resolved for your server’s IP address." For example:
$ telnet ohprs.org 25
Trying 64.129.23.170...
Connected to ohprs.org.
Escape character is '^]'.
220 mail.hprs.local ESMTP Sendmail 8.14.9/8.14.9; Thu, 19 Feb 2015 22:34:10 -0500

Open in new window

The 220 response has mail.hprs.local, which is the local hostname, but not the public name for sending emai, e.g. user@ohprs.org.

Also I have:
$ host ohprs.org
ohprs.org has address 64.129.23.170
ohprs.org mail is handled by 20 mail.ohprs.org.
ohprs.org mail is handled by 10 webserver.ohprs.org.

Open in new window

The A and MX records are hosted at networksolutions.

How do I fix this? Can I fix this or does network solutions have to do it? If I can do it (please tell me how), which domain name should I have the 220 response answer with: mail.ohprs.org or ohprs.org?
Avatar of Mark
Mark

ASKER

This is getting to be a big deal as some email services (roadrunner, aol) are rejecting messages.

Pleas help!
SOLUTION
Avatar of gr8gonzo
gr8gonzo
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
fix your fully qualifed domain name

/etc/sysconfig/network

HOSTNAME=host.example.com

and reload network services.

then check that the host.example.com IP matches forward and inverse in DNS.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I won't get into any arguments about mail server choices... as noted in my earlier post, I try not to "fix" what isn't broken, and I'll just agree that its a "personal choice."

Moving on, I will say that forcing a name change on the whole system to accommodate the mail service is kind of like using a sledge hammer to pound in a screw:  it'll work, but possibly cause collateral damage while doing so. Further, it's the wrong way to do it to begin with: a wrong tool that just happens to get the job done... literally by accident!

In this case, the mail server -- with no direction otherwise -- uses the system name as its advertised name... not because it is a good (much less better) choice, but because it needs SOMETHING there, and that's at least a value to try. I stand by my suggestion (with link) to actually configure your 220 banner (SMTP Greeting) for your mail service (vs. letting it default). That way, you're not forced to call your server anything you're not already calling it, and the only "change" implemented is within mail itself.
While implementing services as separate "appliances" in specially designed VMs do a lot to improve security and isolate the impacts one service can have on another, we're not there yet... thus, it's highly presumptuous to assume this dns/mail server does no other function. And without knowing what other functions might be there, isolating config changes to the mail service would seem (to me) to be prudent.

So I'll stand by my earlier recommendations:
Set the (one) PTR record for you public IP to some generic value on your own domain (e.g. location1.example.com) by calling your ISP
Set an (one of many?) A record for your domain so that the PTR value works in both directions
Set another A record in your own domain to call your mail server whatever you want (e.g. mail.example.com)
Set your mail server's 220 banner (SMTP greeting) to use the name you want (e.g. mail.example.com)

LEAVE YOUR OTHER SERVER SETTINGS ALONE: don't touch other A records, MX records, or whatever -- if it works, don't fix it -- and when you have to fix something, don't fix other (unbroken) things just because you can!

Dan
IT4SOHO
i can't believe that i read that blather.

i install and support linux mail servers for service providers and i can tell you that slop counts.
Avatar of Mark

ASKER

gr8gonzo:
It's about reverse IP lookup.
Yes, the rejection was because of reverse DNS lookup. I didn't realize this issue was connected to reverseDNS so I posted another question on that: https://www.experts-exchange.com/questions/28621279/sendmail-not-delivering-deferred.html which was solved by some of the same respondants to this message.
Either set up a cron job that checks your exim.conf
Don't have an exim.conf, must be for a distro other than Slackware.
Just change the hostname of the server itself to ohprs.org
That would cause other problems ... had it that way some time ago when testing.

it4soho:
This page will show you how for most mail server systems.
That page did the trick. I added:

define(`confSMTP_LOGIN_MSG', `mail.ohprs.org Service ready; $b')dnl

to my .mc file and voila! I get that as the banner.

Jan Springer:
Sendmail is an excellent choice.  It's personal preference.
Agreed, and I use 4 different milters for spam, virus and email archiving which would be a pretty steep learning curve for me to figure out how to do that with some other MTA.
Your fqdn (server hostname) should match was you have in for forward DNS zone.
I'm DNS serving only for local LAN, plus DNS is being updated by Samba4 and clients. DNS is not a problem. I spent weeks getting that worked out.

it4soho:
forcing a name change on the whole system to accommodate the mail service is kind of like using a sledge hammer to pound in a screw
Quite, and that's exactly why knock-on programs such as DNS, Samba, etc. need the local domain FDQN: mail.hprs.local.

Anyway, you are both right, sendmail is my choice and has been able to do everything I need for many years now. Have not found any unblocked holes, it checks against blacklist, throttles over zealous connector, etc.

And, the link at http://www.theemailadmin.com/2010/08/how-to-change-your-smtp-banner-for-fun-and-profit/ provided a useful howto for sendmail and, as importantly, "why" one should change the 220 banner.

Now, final part of my question:

Given an email address: user@ohprs.org, senders' mail clients will likely connect to port 25 at ohprs.org , right? So, what *should* my banner have, "ohprs.org", or "mail.ohprs.org" (the latter being the FQDN of that host)?
don't presume that a sender from address will connect to a server with the same domain name.

and, your banner should match your forward DNS setting.
Avatar of Mark

ASKER

Jan Springer:
don't presume that a sender from address will connect to a server with the same domain name.
Meaning it is OK as is: "mail.ohprs.org", right?

your banner should match your forward DNS setting.
Well, mxtoobox.com's check program says, "OK - Reverse DNS matches SMTP Banner". I'm afraid I don't know where I'd find my forward DNS setting. Would that be the A record at Network Solutions?
First off, let's be clear that we're jumping through all of these hoops to meet various different sites' differing SPAM filtering rules. There isn't any "right" or "wrong" here, there is only meeting the requirements different sites have setup.

One of those requirements that larger sites is that you have to pass FCRDNS (that is, for whatever you have set for your rDNS [PTR record] on your WAN IP address, there MUST be a corresponding forward DNS [A record] that matches.)

FCRDNS doesn't have any effect on LAN DNS, and LAN DNS entries that get used aren't likely to affect SPAM processing. So we're only talking about Internet DNS here.

Finally, we have already determined that the ISP hosts your rDNS entries... but the question came up that you don't host your own DNS service -- which doesn't matter. SOMEWHERE, (likely at your registrar) there are DNS records for your Internet domain name -- including an MX record, many A records [and hopefully at least 1 TXT record holding your SPF settings]. That is where you put the A record to match the PTR record your ISP sets for you.

To test if your FCRDNS is working properly, use this site.

Dan
IT4SOHO
Avatar of Mark

ASKER

it4soho:
you don't host your own DNS service -- which doesn't matter. SOMEWHERE, (likely at your registrar) there are DNS records for your Internet domain name
Correct, these are at Network Solutions. Our ISP does have the reverse DNS configured.

Your suggested site gave the following results:

Looking up Reverse DNS for IP Address: [64.129.23.80]

RDNS for 64.129.23.80 is: [mail.ohprs.org] - (PTR record - 80.23.129.64.in-addr.arpa)
IP Address for mail.ohprs.org is: [64.129.23.80]

SUCCESS! - Forward Confirmed Reverse DNS is CORRECT!
The IP address for the reverse lookup name matches the original IP

I guess that means we're good to go.
Interesting. I come in first with the actual answer, and I get 12% of the overall points and an "assist."

Dan comes in and gives a longer post that says the same thing, and he gets the "answer" with 50% of the points. Maybe I need to start spamming my answer posts with bold text, underlines, and

larger text

.

Piggybacking drives me nuts.
Avatar of Mark

ASKER

The question was about setting the 220 header in response to my testing with  mbxtoolbox.com) which determined that, "The SMTP banner issued by your email server did not contain the hostname we resolved for your server’s IP address." and Dan gave me the link to change that. IN my follow up post I did mention that some email was getting rejected by e.g. roadrunner, which I mistakenly thought had to do with the 220 header. I did get that bit resolved from a different question I posted, so the reverse DNS lookup thing wasn't really an issue when you posted.

Nevertheless, I understand your irritation. I try to give something to constructive participants and perhaps sometimes my allocations are subject to criticism. apportion not quite equitably. But hey, I've got plenty of other networking posts out there, so piggyback on and snag some points.

Also, feel free to appeal to the moderator. I won't feel bad.