Help with Email MX Records, etc

Hi all.
We are running Exchange 2007 with a Barracuda Spam filter.
Optimum is our ISP.
We are unable to send email to a specific domain.
We get an NDR (eventually) stating:
"#< #4.0.0 X-Spam-&-Virus-Firewall; connect to mx00.1and1.com[74.208.5.3]: server refused mail service> #SMTP#"

When I run an SMTP test on our domain name in MXToolbox.com we get the following warnings:
MXToolbox Results
Is there anyone here that can help me try and resolve these issues?  I'm guessing if we clear all 3 we will be able to send email to that domain.
LVL 1
homerslmpsonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
1and1.com labeled your server as spammer and is not accepting connections from you.  They are a hosting company and are the provider for that domain.

Call their technical group to determine why your server ended up on the block list.

That is the only remedy.
0
homerslmpsonAuthor Commented:
OK. I will contact them.
Any thoughts on the warnings and how to correct them?
0
arnoldCommented:
The mxtool
You have to check with your provider to have the record for your IP (whatismyip.com) reflect the name in the and  record and/or make sure the name your server references when incoming connections and outgoing connections

I.e. Your server is mail.yourdomain.com, the revers for the IP should reflect mail.yourdomain.com.
Telnet mail.yourdomain.com 25
Is not saying connected to mail.yourdomain.com because you are using barracuda, it likely has ############ as the treating.
The outgoing connection ..........
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
asavenerCommented:
Many mail systems no longer blindly accept mail, but try to vet the connection in order to validate that the sender is who they say they are.  Few spammers will go to the trouble to work out these issues, and those that do can be more readily blacklisted.

1and1.com is counting on the fact that sending e-mail to/through them is important enough to for you to jump through a few hoops.

First is to make sure that the reverse DNS of your mail server matches its host and MX record.  Likely you will need to talk to your ISP about this.

Second is to make sure that the banner on your mail server correctly displays its hostname, and that it matches the MX record and reverse DNS.  Banner configuration depends on your mail server.  Some firewalls also blank out the SMTP banner, so this does not generally cause recipients to block inbound messages.

Third is to make sure that you send and receive mail on the same IP address.  I had clients where we had to do some gyrations to make sure outbound SMTP was NAT'd to the same IP that the inbound SMTP connection was listening on.

The TLS can generally be ignored, unless you want your SMTP connections to support encryption.  Generally, a self-signed certificate is sufficient for this.

You might also want to investigate creating a DNS SPF record in order to  prevent folks from spoofing your E-mail domain.
0
Mal OsborneAlpha GeekCommented:
Those are pretty minor transgressions, few mail servers would block you for those reasons. Probably worth checking if you have been blacklisted anywhere. Go to the link below, put in your sending IP, and tell us what gets reported back:

http://mxtoolbox.com/blacklists.aspx
0
HariomExchange ExpertsCommented:
Your Reverse lookup entry is mismatched,You need to contact your ISP and set the Reverse Hostname (ptr) record  on ISP Public DNS

Just Make sure reverse lookup PTR record is exist for whatever is your server or firewall is accepting connection from outside

If your barracuda is accepting mails from outside than following reverse entry must there with isp.

PTR Record : Barracuda Firewall IP Address should resolves to  barracuda.yourdomian.com
0
homerslmpsonAuthor Commented:
OK so I'm trying to get the PTR record created for barracuda.MyDomain.com but this needs to be done through our ISP (Optimum) and I'm trying to get the login info.
0
homerslmpsonAuthor Commented:
So maybe someone can help clarify some things for me.
We are running Exchange 2007 in our domain along with a Barracuda Spam Filter.
We also have:
- cable modem via Optimum Online that includes 5 static IP addresses
 One of these static IPs was pointing to mail.MyDomain.com (96.57.116.28)
- a T1 connection used for VOIP phone and in the event our cable goes down, will act as a WAN failover. This T1 has some static IPs associated with it, one of them pointing to mail.MyDomain.com (216.178.82.102)
- a firewall managed by the same people who are supplying us with the T1 connection
- a website hosted with Lunarpages

I'm trying to figure out how this whole email thing is supposed to work.  Inbound and outbound mail goes through the Barracuda.  
As I mentioned above, one of the static IPs from the cable modem was assigned to mail.MyDomain.com but I've recently had it changed to barracuda.MyDomain.com.
I've also asked the company managing our firewall to make a change on their end so that the static IP that was pointing to mail.MyDomain.com instead points to barracuda.MyDomain.com.
After they sent me an email confirming the change was made, I waited about 24 hours and then logged onto our hosting site (Lunarpages) and looked at the MX entries shown there.  There were 2. One with a priority of 5 and pointing to mail.MyDomain.com and other with a priority of 10 and pointing to mail2.MyDomain.com.  
The mail2 entry I don't think is being used at all. I believe it came with the hosting package.
I have edited the name of the one named mail.MyDomain.com  to barracuda.MyDomain.com.
After I made that last change (the MX entry on Lunarpages) I sent myself a test email from my Yahoo account and it got bounced back immediately.
I then changed it back to mail.MyDomain.com and sent another test email which went through no problem.
What am I missing here?
0
asavenerCommented:
You need to test SMTP connections from outside your firewall.

Go get on a computer at your house, install PuTTY or similar on it, and run these tests:

Ping mail.mydomain.com - verify the IP address
ping barracuda.mydomain.com - verify the IP address

run nslookup, enter set type=mx, and enter mydomain.com

Try to telnet to port 25 on both mail.mydomain.com and barracuda.mydomain.com
0
homerslmpsonAuthor Commented:
I'll use my phone's mobile hostpot on another computer here and test these out.
I'll get back to you in a few minutes.
0
homerslmpsonAuthor Commented:
Ping mail.mydomain.com - verify the IP address <-- doesn't reply
ping barracuda.mydomain.com - verify the IP address <-- can't even find the host

run nslookup, enter set type=mx, and enter mydomain.com <-- shows 2 entries. One being mail.MyDomain.com (priority 5) and barracuda.MyDomain.com (priority 10).

It looks like it's getting all of the info from my hosting company. I mentioned in the earlier reply that I changed the priority 5 address back to mail.MyDomain.com after I immediately got a bounceback when sending a test message from Yahoo.


Try to telnet to port 25 on both mail.mydomain.com and barracuda.mydomain.com <-- I was able to telnet into the mail.MyDomain.com and it shows an entry named 220 barracuda.MyDomain.com

When I tried to telnet into barracuda.MyDomain.com I got an error saying "Unable to open connection to barracuda.MyDomain.com Host does not exist"
0
asavenerCommented:
Ping mail.mydomain.com - verify the IP address <-- doesn't reply
That's normal; pings are blocked, but you can resolve the address.
ping barracuda.mydomain.com - verify the IP address <-- can't even find the host

That's what's keeping the MX record from working.  You need a host (A) record for barracuda.mydomain.com pointing the IP address of your mail server.  (The same IP address as mail.mydomain.com)

run nslookup, enter set type=mx, and enter mydomain.com <-- shows 2 entries. One being mail.MyDomain.com (priority 5) and barracuda.MyDomain.com (priority 10).


It looks like it's getting all of the info from my hosting company. I mentioned in the earlier reply that I changed the priority 5 address back to mail.MyDomain.com after I immediately got a bounceback when sending a test message from Yahoo.

Try to telnet to port 25 on both mail.mydomain.com and barracuda.mydomain.com <-- I was able to telnet into the mail.MyDomain.com and it shows an entry named 220 barracuda.MyDomain.com

When I tried to telnet into barracuda.MyDomain.com I got an error saying "Unable to open connection to barracuda.MyDomain.com Host does not exist"
Yup.  You need the host record for barracuda.mydomain.com.
0
homerslmpsonAuthor Commented:
Where/How do I create/add this record?
0
asavenerCommented:
Same place you modified the MX record.  Lunardata, I think?
0
homerslmpsonAuthor Commented:
Lunarpages - ok I'll take a look at the Control Panel and look for the section to add an A record.
0
homerslmpsonAuthor Commented:
Unfortunately I cannot add an A record on that site. I can only edit the MX records.  
I needed to open a support ticket for the A record creation so we will have to wait and see what happens.
Is there anything I should do in the meantime?
Lunarpages doesn't have the greatest response time so I'm concerned that if things break I'm going to be up a river without a paddle...
0
asavenerCommented:
You can actually have two A records that point to the same IP, so it shouldn't break anything.

Have them add the new A record, then you can test SMTP connectivity, then you can modify the MX records, and test again.

After that, you need to contact your ISP and ask them to change the PTR record for the IP address of your mail server, so that reverse lookup resolves to barracuda.mydomain.com.
0
homerslmpsonAuthor Commented:
You mention contacting my ISP and asking them to change the PTR record for the IP address of my mail server so that reverse lookup resolves to barracuda.MyDomain.com.
I've already made this change but it isn't showing on Optimum's site properly. It says "request pending".
I contacted them and they said it shouldn't say "request pending" and they don't know why it says that. They opened a ticked and someone is supposed to contact me within 48 hours.
You can see what I'm referring to in the image below.
Should I just click the cancel button on that for now or should I leave it alone?
Optimum
0
asavenerCommented:
For what it's worth, an nslookup query shows the name as barracuda.<companyname>.com.

(Might want to edit the image, or delete it.)

To test yourself:

nslookup
set type=ptr
<ip address to test>
0
arnoldCommented:
I would discourage the use of baracuda for the forward. And reverse. Before the prevalent use of mail, SMTP is now being used by spammers to hunt for mail hosts on the domain into which to attempt to send email.  Migrating/changing the hostname so it can not be guessed .... And especially identify what is behind it to avoid helping/providing information for an attack on vulnerabilities that might exist or be uncovered before an update correcting them can be loaded.

All that is required is that the hostname you chose to use on the front end is the same hostname used when mapping the IP.
Nslookup x.x.x.x
Should return a name when queried
Nslookup hostname
Will return x.x.x.x
0
asavenerCommented:
No matter what he chooses, the name is going to be visible via the MX record.  

Would a mail scanning service be preferable?  Maybe.  But obfuscating the name of the server is just kind of silly.
0
homerslmpsonAuthor Commented:
You mentioned the following:
For what it's worth, an nslookup query shows the name as barracuda.<companyname>.com.
(Might want to edit the image, or delete it.)

I'm confused as to what you're referring to here.  What image?
0
arnoldCommented:
One should not use identifying names I.e. Exchange, baracuda, etc. as it provides information for an avenue of attack concentrated at vulnerability or current issues it might have.......

It is not a requirement that the hostname reflect what is behind it.

The delete image deals with you not masking your IP which is public.
0
asavenerCommented:
the image in this post:  http://www.experts-exchange.com/questions/28717302/Help-with-Email-MX-Records-etc.html#a40996184


Generally, it's trivial to determine the kind of mail server.  The fingerprinting tools are pretty good.

I'm not aware of an exploit that compromises a server through the SMTP service itself.
0
arnoldCommented:
Compromise if often not through the service but through the creation of a circumstance i.e. buffer overflow, etc.

I would suggest to use generic versus descriptive hostnames when unnecessary.
but it is subjective.
0
homerslmpsonAuthor Commented:
OK so I asked Lunarpages to create an A record for barracuda.MyDomain.com pointing to 96.57.116.28.
They got back to me just a little while ago saying that it was added and that it will take 4-6 hours for full DNS propagation.
It looks like things are "kind of" all set.  When I do an MXToolbox check it looks like the reverse DNS is ok.
The only thing I'm concerned about at this point is that on Lunarpages hosting I originally mentioned there being 2 MX records. One pointing to mail.MyDomain.com with a priority of 5 and the other being barracuda.MyDomain.com with a priority of 10.
The last time I changed the mail one, I got a bounceback when sending a test message from my Yahoo account.  At this point, do you guys feel I should be able to edit that one to barracuda or should I just leave it alone?
1
asavenerCommented:
Multiple MX records shouldn't cause a problem.  If the first one fails, then it should just move on to the next one.
0
arnoldCommented:
Here is the issue, the lower the  MX preferemce number the more preferred the referenced host.
If both go to the same IP, any email should be handled in the same way.
What did the bounce say?
Make sure that while you remove the MX record if you do, do not remove the referenced hostname at the same time since there is a propagation issue where someone will still have the MX listing, but the hostname expired and when they try to retrieve information about the hostname it no longer exists.
0
homerslmpsonAuthor Commented:
So everything appears to be working but something doesn't seem right.

We have a cable modem as our primary connection and with it we have a few static IPs, one of which has the IP of 96.57.116.xx for the mail server.
We also have a T-1 connection that is used as a backup/failover. This has some static IPs associated with it, one of which is 216.178.82.xx and is for the mail server.

When I enter the 216.178.82.xx IP on MX Toolbox and run an SMTP test, it still gets the reverse DNS warning.

Any idea how to resolve this?

t1 ip
0
arnoldCommented:
You have to doors, one via the T1 and one via the Cable.
Your MX record can point to mymailserver.mydomain.com
mymailserver.mydomain.com can point to both doors and email from it can leave from either, this means you have to make sure both Ips reflect the same name or two different names if you wish
MX 5 primarymail.mydomain.com.
MX 20 secondarymail.mydomain.com.

The primary will point to your cable IP while your secondary will point to your T1 static IP.
this way each will reflect a different hostname.
0
asavenerCommented:
To truly eliminate all errors, you'll need a second barracuda instance that matches the DNS name assigned to your secondary mail server.  The second instance could be a virtual interface on the same appliance, if the Barracuda supports it.

Looks like it should:  https://techlib.barracuda.com/display/lbadcv50/adding+custom+virtual+interfaces

So you would have two MX records, say barracuda.mydomain.com and barracuda2.mydomain.com.
Two host (A) records, one for barracuda.mydomain.com and one for barracuda2.mydomain.com.
PTR record for each public IP address.
One of your Internet edge devices would need to have the SMTP NAT rule reconfigured to point to the Barracuda's new virtual interface.
0
homerslmpsonAuthor Commented:
Jeez I really didn't want to start having to create new virtual interfaces, etc as that is just THAT much more complicated for me.
Was trying to keep things simple.
I like what arnold said about being able to have 2 doors from the same MX entry but I don't know what I have to do to make BOTH IPs reflect the same name.
Do I need to contact Lunarpages again and ask them to create a PTR record for 216.178.82.xx to resolve to barracuda.MyDomain.com?
When I type the following (from within my internal network) :
ping -a 216.178.82.xx

Open in new window


it resolves to barracuda.MyDomain.com which I'm guessing is a good thing.
I'm hoping you guys are going to reply back and state that I simply need to ask Lunarpages to update this on their end...
0
arnoldCommented:
Yes.
0
homerslmpsonAuthor Commented:
Thanks for the help guys! It's really appreciated.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.