Solved

Reverse DNS does not match SMTP Banner

Posted on 2016-07-20
18
75 Views
Last Modified: 2016-08-11
we've been getting complaints ( since we upgraded from Exchnage 2010 to Exchange 2013 ) from our users stating that  emails don't arrive at its destination it has arrived in junk folder.

I decided to do an SMTP scan using mxtoolbox.com and i get the following inflammations -----


Category      Host                                 Result      
dns                    Mydomain.com                 SOA Serial Number Format is Invalid       
dns                    mydomain.com                 SOA Expire Value out of recommended range       
smtp            mail.mydomain.com        Reverse DNS does not match SMTP Banner       
smtp            mail.mydomain.com        Warning - Does not support TLS.



 Connecting to 12.12.12.12 

220 ***************************************************** [875 ms]
EHLO PWS3.mxtoolbox.com
250-Antispam.MYDomain.com says EHLO to 64.20.227.134:53351
250-SIZE 15485760
250-8BITMIME
250-PIPELINING
250 ENHANCEDSTATUSCODES [922 ms]
MAIL FROM:<supertool@mxtoolbox.com>
250 2.0.0 MAIL FROM accepted [922 ms]
RCPT TO:<test@example.com>
554 5.1.2 Recipient address rejected: User unknown [922 ms]

PWS3v2 5625ms

Open in new window

0
Comment
Question by:Rami Mansour
18 Comments
 
LVL 15

Expert Comment

by:Ivan
ID: 41722226
Hi,

did you configure external FQDN on send connector?
EMC --> mail flow --> send connector --> select and edit connector --> scoping tab --> fqdn.

If it is set as your external name, then maybe mxtoolbox test is mistaking :)

Regards,
Ivan.
0
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 41722229
All Mail received  in junk folder or particular domain. if particular domain then add domain in safe send list in exchange.

The issue happen with all user or single users if single user then add domain in user safe sender list.
0
 
LVL 33

Expert Comment

by:Busbar
ID: 41722250
you need to make sure that you have the correct DNS configured on the send connector, and you will need to ask you ISP to have a reverse DNS record for you  with the correct settings.
2
 
LVL 16

Expert Comment

by:Shaik M. Sajid
ID: 41722261
are u using any e-mail appliances if yes check the mail server configurations in E-mail appliance ..

if not

do you have internal and external Domain name are same/ different ?  then did u configure Reverse dns on the server ?

is recently did u change external dns name ? if yes the tell your mail server DNS hosting provider/ISP to check your Reverse DNS records,

last but not lease check your SSL verification.

all the best
0
 

Author Comment

by:Rami Mansour
ID: 41722267
Sajid, thank you for your reply

i have SMG in between Firewall (FG) and EXchnage 2013 ,
i have internal and external Domain name are same
yes , i had configured Reverse DNS on the server
SSL verification following the information

mail.Mydomain.com resolves to Myip
Server Type: Microsoft-IIS/8.5
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
The certificate was issued by GoDaddy.	
Write review of GoDaddy
The certificate will expire in 507 days.	
Remind me
The hostname (mail.mydomain.com) is correctly listed in the certificate.

Open in new window

0
 
LVL 13

Expert Comment

by:Andy M
ID: 41722965
yes , i had configured Reverse DNS on the server

Have you got your reverse dns configured on your internet line as well? If this hasn't been setup the external servers will mark it as failed.

Run an nslookup on your external IP - the hostname it comes back with should match the external name fo your mail server.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 41723463
Did the test really come back with this:

3:220 ***************************************************** [875 ms]

If so, that will cause problems with email delivery. If there are SMTP scanning functionality on the firewall, turn it off.
0
 

Author Comment

by:Rami Mansour
ID: 41723583
Andy

I did run  ns lookup on external IP - the hostname it comes back matching with the external name fo mail server. in addition the following Nslookup information
C:\Users\user>nslookup
Default Server:  homerouter.cpe
Address:  192.168.1.1

> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> 83.83.83.10
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Name:    mail.domain.com
Address:  83.83.83.10

> mail.domain.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    mail.domain.com.domain.com
Address:  83.83.83.12

Open in new window

0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41723832
Have a look at https://www.mail-tester.com/ - it isn't specific to newsletter emails and will tell you all sorts that's wrong with your mail setup regarding spam classification.

In your screenshot look at line 21.  mail.domain.com.domain.com?

Is 83.83.83.12 your actual Mail Server IP?
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:Rami Mansour
ID: 41724059
No is not my mail ip
0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41724079
Results of mail-tester.com?
0
 

Author Comment

by:Rami Mansour
ID: 41724950
here is the results

83.83.83.10 is for Mail. Domain.Com

83.83.83.12 is for our website WWW.domain.com with is showing with antispam.domain.com


You're not fully authenticated
        We check if the server you are sending from is authenticated
                Your message is not signed with DKIM
                     DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a     person, role, or organization to claim some responsibility for the message.


Your reverse DNS does not match with your sending domain.
Reverse DNS lookup or reverse DNS resolution (rDNS) is the determination of a domain name that is associated with a given IP address.
Some companies such as AOL will reject any message sent from a server without rDNS, so you must ensure that you have one.
You cannot associate more than one domain name with a single IP address.

Your IP address 83.83.83.10 is associated with the domain mail.domain.com.
Nevertheless your message appears to be sent from Antispam.domain.com.

You may want to change your pointer (PTR type) DNS record and the host name of your server to the same value.

Here are the tested values for this check:
IP: 83.83.83.10
HELO: Antispam.domain.com
rDNS: mail.domain.com

Your hostname Antispam.domain.com is assigned to a server.
We check if there is a server (A Record) behind your hostname Antispam.domain.com.
A records (Antispam.domain.com) : 
83.83.83.12

Your message could be improved
Checks whether your message is well formatted or not.
Weight of the HTML version of your message: 2KB.
Your message contains 30% of text.
You have no images in your message
Your content is safe
We didn't find short URLs
Your message does not contain a List-Unsubscribe header
The List-Unsubscribe header is required if you send mass emails, it enables the user to easily unsubscribe from your mailing list.
Your message does not contain a List-Unsubscribe header

Open in new window

0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41725129
Thanks, that's good progress.

Looks like your answer is to adjust your PTR / rDNS record to antispam.domain.com instead of mail.domain.com, then try the test again.
0
 

Author Comment

by:Rami Mansour
ID: 41725600
I should add one more PTR record or I will change the mail .domain,com to antispam.domain.com

I will share with you the Domain DNS Configurations could you pls advise in regard
0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41725760
Out of interest, what is your Exchange Send Connector advertising itself as?

You can only have one ptr record per up address so, as things currently stand, you would need to update your existing ptr for 83.83.83.10 to antispam.Domain.com.
0
 

Author Comment

by:Rami Mansour
ID: 41726432
I did and still showing Reverse DNS does not match SMTP Banner. in order, now the remaining on the  mail-tester is the following:


Your message is not signed with DKIM
DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.

--------------------------------------------------------------
The body of your message contains errors
        Checks whether your message is well formatted or not.
                    Weight of the HTML version of your message: 27KB.
                    Your message contains 5% of text.
We found 2 images without alt attribute in your message body
       ALT attributes provide a textual alternative to your images.
        [list=1]It is a useful fallback for people suffering from sight problems and for cases where your images cannot be displayed.
<img border="0" width="42" height="53" id="Picture_x0020_6" src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIf IiEmKzcvJik0KSEiMEExNDk7Pj4+JS5ESU[/list]
        [list]<img border="0" width="479" height="43" id="Picture_x0020_11" src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIf IiEmKzcvJik0KSEiMEExNDk7Pj4+JS5E
If you don't want to add an alt attribute, add an empty one: alt=""
[/list]

Your message does not contain a List-Unsubscribe header
          The List-Unsubscribe header is required if you send mass emails, it enables the user to easily unsubscribe from your               mailing list.
           Your message does not contain a List-Unsubscribe header

Open in new window



In addition, I was facing an issue Some messages cannot be delivered successfully to certain domains. It's going to junk folders  such as Gmail, Hotmail the and the below found when I check the message header the following noted:


Forefront Antispam Report Header– 
Language	en
Spam Confidence Level	5
Spam Filtering Verdict	SPM
HELO/EHLO String	BLU004-MC1F24.hotmail.com

Open in new window

0
 

Accepted Solution

by:
Rami Mansour earned 0 total points
ID: 41745929
I have solved this was the ESMTP inspection on the ASA firewall
0
 

Author Closing Comment

by:Rami Mansour
ID: 41751801
it is working with me
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now