Solved

How to set up smtp 220 response banner

Posted on 2015-02-19
14
330 Views
Last Modified: 2015-02-23
Our office is hosting its own DNS and mail server. We are running Slackware64 14.1 kernel 3.10.17, sendmail 8.14.9.

In running some tests (e.g. mbxtoolbox.com) I've determined that, "The SMTP banner issued by your email server did not contain the hostname we resolved for your server’s IP address." For example:
$ telnet ohprs.org 25
Trying 64.129.23.170...
Connected to ohprs.org.
Escape character is '^]'.
220 mail.hprs.local ESMTP Sendmail 8.14.9/8.14.9; Thu, 19 Feb 2015 22:34:10 -0500

Open in new window

The 220 response has mail.hprs.local, which is the local hostname, but not the public name for sending emai, e.g. user@ohprs.org.

Also I have:
$ host ohprs.org
ohprs.org has address 64.129.23.170
ohprs.org mail is handled by 20 mail.ohprs.org.
ohprs.org mail is handled by 10 webserver.ohprs.org.

Open in new window

The A and MX records are hosted at networksolutions.

How do I fix this? Can I fix this or does network solutions have to do it? If I can do it (please tell me how), which domain name should I have the 220 response answer with: mail.ohprs.org or ohprs.org?
0
Comment
Question by:jmarkfoley
  • 5
  • 4
  • 3
  • +1
14 Comments
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
This is getting to be a big deal as some email services (roadrunner, aol) are rejecting messages.

Pleas help!
0
 
LVL 34

Assisted Solution

by:gr8gonzo
gr8gonzo earned 60 total points
Comment Utility
It's about reverse IP lookup. Basically, an IP can have a reverse DNS entry that will map back to a domain name. This is a PTR record.

1. You need to contact whatever provider is the one controlling the IP address of 64.129.23.170 and ask them to set up a PTR record that points to ohprs.org. To be clear, this is NOT a DNS record entry on the ohprs.org domain, this is a record associated to the IP address. Only the provider of that IP address can make this change for you.

2a. Either set up a cron job that checks your exim.conf (usually in /etc) and updates smtp_banner to reflect the hostname of ohprs.org. The cron job is only if you have some kind of 3rd party software that maintains your mail services (which is pretty often with Exim/ESMTP). If you manually maintain it, you can just update the exim.conf file once and leave it at that.
...or...
2b. Just change the hostname of the server itself to ohprs.org instead of mail.hrps.local. I believe the hostname is define in /etc/HOSTNAME and is read at boot-time, so you can change it there and reboot. Then just type "hostname" on the shell to check to make sure the changes took effect. Exim should use your hostname value by default in its banner.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
fix your fully qualifed domain name

/etc/sysconfig/network

HOSTNAME=host.example.com

and reload network services.

then check that the host.example.com IP matches forward and inverse in DNS.
0
 
LVL 20

Accepted Solution

by:
Daniel McAllister earned 250 total points
Comment Utility
OK, so to make sense of that the other experts have already said, and put it in perspective.... For SPAM filtering at many other sites, you need to have 2 things setup properly (and this is purely SPAM crap):

The IP address you send from has to have 2 DNS entries:

- both an A record, and a PTR record... and they have to MATCH each other... You can manage the A record just fine locally (you said you're hosting your own DNS) -- the PTR record is the tricky one, so I'm going to focus on the PTR record first.

Your PTR record(s) need to be FQDNs (Fully Qualified Domain Names). Many people will make it "functional" -- like mail.example.com, but I prefer to make it more generic (as functions tend to change, where geography less so). Thus, using myself as an example, I happen to live in St. Petersburg, FL (USA) and I happen to have 5 IP addresses -- so I set my 5 IP addresses (that are here in my St. Pete offices) to be stpfl1.it4soho.com, stpfl2.... and so on up to stpfl5.it4soho.com....

Let's assume you live in Anytown, Missouri -- by my reckoning you would name your host something like anymo1.example.com

Make your PTR records whatever you want, just know that you have to contact your ISP to do it.... but for the rest of my notes here, I'm assuming you called it anymo1.example.com.

LAST NOTE on the PTR record: As a general rule, you only have 1 PTR record per IP address.

----

So now, lets look at your A records, but keep in mind the PTR record(s) you just had your ISP create for you.

For each PTR record you just set, you now need to have an A record (not a CNAME) that resolves back to that same IP address.

So, if I just had my ISP set the PTR record for my public IP address (which must be static -- I assume you already know why) to anymo1.example.com, then I need to make sure that if I lookup anymo1.example.com is points back to that same IP address.

Having these 2 DNS records match is called having a "Forward Confirmed Reverse DNS" (FCRDNS or, validating that your Reverse DNS matches your Forward DNS). Read more, if you like, on Wikipedia.

Now the part that confuses a lot of admins is that, while there is a "general rule" that you only have 1 PTR record per IP address, there is no such rule or convention for A records... make as many of those as you want.

Additionally, so long as your FCRDNS works, and the 220 SMTP greeting uses the same domain name (not the whold FQDN, just the domain name), you'll be considered a positive match (a PASS result for SPAM checking).

So you can go right ahead and use mail.example.com as your mailserver name (with the same IP address as anymo1.example.com) and go right ahead and make mail.example.com be the advertised host in your 220 greeting.

Which takes us to part 2 of your question...

Your Mail Server has to identify itself properly


You said you are using sendmail (not a great choice, but assuming you've ameliorated the security concerns, let's not try to fix what ain't broken.

Regardless of what mail server you're using, you're going to need to customize the banner -- and you won't likely want to rename your whole server just for the mail service, so configure your mail service with a custom banner -- everyone else does!

This page will show you how for most mail server systems.

Just remember that in Linux, you nearly ALWAYS have to restart the service (or at least tell the service to reload configs) when you make changes to the config files.

I hope this helps...

Dan
IT4SOHO
0
 
LVL 28

Assisted Solution

by:Jan Springer
Jan Springer earned 190 total points
Comment Utility
Sendmail is an excellent choice.  It's personal preference.

Your fqdn (server hostname) should match was you have in for forward DNS zone.

If you need assistance with DNS -- shout.  Your files (if you're chrooted) are typically in /var/named/chroot/var/named/ or /var/named/chroot/var/named/masters.  Update your SOA, modify your "A" record and "service named reload".
0
 
LVL 20

Expert Comment

by:Daniel McAllister
Comment Utility
I won't get into any arguments about mail server choices... as noted in my earlier post, I try not to "fix" what isn't broken, and I'll just agree that its a "personal choice."

Moving on, I will say that forcing a name change on the whole system to accommodate the mail service is kind of like using a sledge hammer to pound in a screw:  it'll work, but possibly cause collateral damage while doing so. Further, it's the wrong way to do it to begin with: a wrong tool that just happens to get the job done... literally by accident!

In this case, the mail server -- with no direction otherwise -- uses the system name as its advertised name... not because it is a good (much less better) choice, but because it needs SOMETHING there, and that's at least a value to try. I stand by my suggestion (with link) to actually configure your 220 banner (SMTP Greeting) for your mail service (vs. letting it default). That way, you're not forced to call your server anything you're not already calling it, and the only "change" implemented is within mail itself.
While implementing services as separate "appliances" in specially designed VMs do a lot to improve security and isolate the impacts one service can have on another, we're not there yet... thus, it's highly presumptuous to assume this dns/mail server does no other function. And without knowing what other functions might be there, isolating config changes to the mail service would seem (to me) to be prudent.

So I'll stand by my earlier recommendations:
Set the (one) PTR record for you public IP to some generic value on your own domain (e.g. location1.example.com) by calling your ISP
Set an (one of many?) A record for your domain so that the PTR value works in both directions
Set another A record in your own domain to call your mail server whatever you want (e.g. mail.example.com)
Set your mail server's 220 banner (SMTP greeting) to use the name you want (e.g. mail.example.com)

LEAVE YOUR OTHER SERVER SETTINGS ALONE: don't touch other A records, MX records, or whatever -- if it works, don't fix it -- and when you have to fix something, don't fix other (unbroken) things just because you can!

Dan
IT4SOHO
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
i can't believe that i read that blather.

i install and support linux mail servers for service providers and i can tell you that slop counts.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
gr8gonzo:
It's about reverse IP lookup.
Yes, the rejection was because of reverse DNS lookup. I didn't realize this issue was connected to reverseDNS so I posted another question on that: http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Q_28621279.html which was solved by some of the same respondants to this message.
Either set up a cron job that checks your exim.conf
Don't have an exim.conf, must be for a distro other than Slackware.
Just change the hostname of the server itself to ohprs.org
That would cause other problems ... had it that way some time ago when testing.

it4soho:
This page will show you how for most mail server systems.
That page did the trick. I added:

define(`confSMTP_LOGIN_MSG', `mail.ohprs.org Service ready; $b')dnl

to my .mc file and voila! I get that as the banner.

Jan Springer:
Sendmail is an excellent choice.  It's personal preference.
Agreed, and I use 4 different milters for spam, virus and email archiving which would be a pretty steep learning curve for me to figure out how to do that with some other MTA.
Your fqdn (server hostname) should match was you have in for forward DNS zone.
I'm DNS serving only for local LAN, plus DNS is being updated by Samba4 and clients. DNS is not a problem. I spent weeks getting that worked out.

it4soho:
forcing a name change on the whole system to accommodate the mail service is kind of like using a sledge hammer to pound in a screw
Quite, and that's exactly why knock-on programs such as DNS, Samba, etc. need the local domain FDQN: mail.hprs.local.

Anyway, you are both right, sendmail is my choice and has been able to do everything I need for many years now. Have not found any unblocked holes, it checks against blacklist, throttles over zealous connector, etc.

And, the link at http://www.theemailadmin.com/2010/08/how-to-change-your-smtp-banner-for-fun-and-profit/ provided a useful howto for sendmail and, as importantly, "why" one should change the 220 banner.

Now, final part of my question:

Given an email address: user@ohprs.org, senders' mail clients will likely connect to port 25 at ohprs.org , right? So, what *should* my banner have, "ohprs.org", or "mail.ohprs.org" (the latter being the FQDN of that host)?
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
don't presume that a sender from address will connect to a server with the same domain name.

and, your banner should match your forward DNS setting.
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
Jan Springer:
don't presume that a sender from address will connect to a server with the same domain name.
Meaning it is OK as is: "mail.ohprs.org", right?

your banner should match your forward DNS setting.
Well, mxtoobox.com's check program says, "OK - Reverse DNS matches SMTP Banner". I'm afraid I don't know where I'd find my forward DNS setting. Would that be the A record at Network Solutions?
0
 
LVL 20

Expert Comment

by:Daniel McAllister
Comment Utility
First off, let's be clear that we're jumping through all of these hoops to meet various different sites' differing SPAM filtering rules. There isn't any "right" or "wrong" here, there is only meeting the requirements different sites have setup.

One of those requirements that larger sites is that you have to pass FCRDNS (that is, for whatever you have set for your rDNS [PTR record] on your WAN IP address, there MUST be a corresponding forward DNS [A record] that matches.)

FCRDNS doesn't have any effect on LAN DNS, and LAN DNS entries that get used aren't likely to affect SPAM processing. So we're only talking about Internet DNS here.

Finally, we have already determined that the ISP hosts your rDNS entries... but the question came up that you don't host your own DNS service -- which doesn't matter. SOMEWHERE, (likely at your registrar) there are DNS records for your Internet domain name -- including an MX record, many A records [and hopefully at least 1 TXT record holding your SPF settings]. That is where you put the A record to match the PTR record your ISP sets for you.

To test if your FCRDNS is working properly, use this site.

Dan
IT4SOHO
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
it4soho:
you don't host your own DNS service -- which doesn't matter. SOMEWHERE, (likely at your registrar) there are DNS records for your Internet domain name
Correct, these are at Network Solutions. Our ISP does have the reverse DNS configured.

Your suggested site gave the following results:

Looking up Reverse DNS for IP Address: [64.129.23.80]

RDNS for 64.129.23.80 is: [mail.ohprs.org] - (PTR record - 80.23.129.64.in-addr.arpa)
IP Address for mail.ohprs.org is: [64.129.23.80]

SUCCESS! - Forward Confirmed Reverse DNS is CORRECT!
The IP address for the reverse lookup name matches the original IP

I guess that means we're good to go.
0
 
LVL 34

Expert Comment

by:gr8gonzo
Comment Utility
Interesting. I come in first with the actual answer, and I get 12% of the overall points and an "assist."

Dan comes in and gives a longer post that says the same thing, and he gets the "answer" with 50% of the points. Maybe I need to start spamming my answer posts with bold text, underlines, and

larger text

.

Piggybacking drives me nuts.
0
 
LVL 1

Author Comment

by:jmarkfoley
Comment Utility
The question was about setting the 220 header in response to my testing with  mbxtoolbox.com) which determined that, "The SMTP banner issued by your email server did not contain the hostname we resolved for your server’s IP address." and Dan gave me the link to change that. IN my follow up post I did mention that some email was getting rejected by e.g. roadrunner, which I mistakenly thought had to do with the 220 header. I did get that bit resolved from a different question I posted, so the reverse DNS lookup thing wasn't really an issue when you posted.

Nevertheless, I understand your irritation. I try to give something to constructive participants and perhaps sometimes my allocations are subject to criticism. apportion not quite equitably. But hey, I've got plenty of other networking posts out there, so piggyback on and snag some points.

Also, feel free to appeal to the moderator. I won't feel bad.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Email signatures have numerous marketing benefits. Here are 8 top reasons to turn your email signature into a marketing channel.
Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

6 Experts available now in Live!

Get 1:1 Help Now