Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Reverse DNS does not match SMTP Banner

Posted on 2016-07-20
18
137 Views
Last Modified: 2016-08-11
we've been getting complaints ( since we upgraded from Exchnage 2010 to Exchange 2013 ) from our users stating that  emails don't arrive at its destination it has arrived in junk folder.

I decided to do an SMTP scan using mxtoolbox.com and i get the following inflammations -----


Category      Host                                 Result      
dns                    Mydomain.com                 SOA Serial Number Format is Invalid       
dns                    mydomain.com                 SOA Expire Value out of recommended range       
smtp            mail.mydomain.com        Reverse DNS does not match SMTP Banner       
smtp            mail.mydomain.com        Warning - Does not support TLS.



 Connecting to 12.12.12.12 

220 ***************************************************** [875 ms]
EHLO PWS3.mxtoolbox.com
250-Antispam.MYDomain.com says EHLO to 64.20.227.134:53351
250-SIZE 15485760
250-8BITMIME
250-PIPELINING
250 ENHANCEDSTATUSCODES [922 ms]
MAIL FROM:<supertool@mxtoolbox.com>
250 2.0.0 MAIL FROM accepted [922 ms]
RCPT TO:<test@example.com>
554 5.1.2 Recipient address rejected: User unknown [922 ms]

PWS3v2 5625ms

Open in new window

0
Comment
Question by:Rami Mansour
18 Comments
 
LVL 16

Expert Comment

by:Ivan
ID: 41722226
Hi,

did you configure external FQDN on send connector?
EMC --> mail flow --> send connector --> select and edit connector --> scoping tab --> fqdn.

If it is set as your external name, then maybe mxtoolbox test is mistaking :)

Regards,
Ivan.
0
 
LVL 18

Expert Comment

by:Sushil Sonawane
ID: 41722229
All Mail received  in junk folder or particular domain. if particular domain then add domain in safe send list in exchange.

The issue happen with all user or single users if single user then add domain in user safe sender list.
0
 
LVL 33

Expert Comment

by:Busbar
ID: 41722250
you need to make sure that you have the correct DNS configured on the send connector, and you will need to ask you ISP to have a reverse DNS record for you  with the correct settings.
2
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 16

Expert Comment

by:Shaik M. Sajid
ID: 41722261
are u using any e-mail appliances if yes check the mail server configurations in E-mail appliance ..

if not

do you have internal and external Domain name are same/ different ?  then did u configure Reverse dns on the server ?

is recently did u change external dns name ? if yes the tell your mail server DNS hosting provider/ISP to check your Reverse DNS records,

last but not lease check your SSL verification.

all the best
0
 

Author Comment

by:Rami Mansour
ID: 41722267
Sajid, thank you for your reply

i have SMG in between Firewall (FG) and EXchnage 2013 ,
i have internal and external Domain name are same
yes , i had configured Reverse DNS on the server
SSL verification following the information

mail.Mydomain.com resolves to Myip
Server Type: Microsoft-IIS/8.5
The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).
The certificate was issued by GoDaddy.	
Write review of GoDaddy
The certificate will expire in 507 days.	
Remind me
The hostname (mail.mydomain.com) is correctly listed in the certificate.

Open in new window

0
 
LVL 13

Expert Comment

by:Andy M
ID: 41722965
yes , i had configured Reverse DNS on the server

Have you got your reverse dns configured on your internet line as well? If this hasn't been setup the external servers will mark it as failed.

Run an nslookup on your external IP - the hostname it comes back with should match the external name fo your mail server.
0
 
LVL 63

Assisted Solution

by:Simon Butler (Sembee)
Simon Butler (Sembee) earned 500 total points
ID: 41723463
Did the test really come back with this:

3:220 ***************************************************** [875 ms]

If so, that will cause problems with email delivery. If there are SMTP scanning functionality on the firewall, turn it off.
0
 

Author Comment

by:Rami Mansour
ID: 41723583
Andy

I did run  ns lookup on external IP - the hostname it comes back matching with the external name fo mail server. in addition the following Nslookup information
C:\Users\user>nslookup
Default Server:  homerouter.cpe
Address:  192.168.1.1

> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> 83.83.83.10
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Name:    mail.domain.com
Address:  83.83.83.10

> mail.domain.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    mail.domain.com.domain.com
Address:  83.83.83.12

Open in new window

0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41723832
Have a look at https://www.mail-tester.com/ - it isn't specific to newsletter emails and will tell you all sorts that's wrong with your mail setup regarding spam classification.

In your screenshot look at line 21.  mail.domain.com.domain.com?

Is 83.83.83.12 your actual Mail Server IP?
0
 

Author Comment

by:Rami Mansour
ID: 41724059
No is not my mail ip
0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41724079
Results of mail-tester.com?
0
 

Author Comment

by:Rami Mansour
ID: 41724950
here is the results

83.83.83.10 is for Mail. Domain.Com

83.83.83.12 is for our website WWW.domain.com with is showing with antispam.domain.com


You're not fully authenticated
        We check if the server you are sending from is authenticated
                Your message is not signed with DKIM
                     DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a     person, role, or organization to claim some responsibility for the message.


Your reverse DNS does not match with your sending domain.
Reverse DNS lookup or reverse DNS resolution (rDNS) is the determination of a domain name that is associated with a given IP address.
Some companies such as AOL will reject any message sent from a server without rDNS, so you must ensure that you have one.
You cannot associate more than one domain name with a single IP address.

Your IP address 83.83.83.10 is associated with the domain mail.domain.com.
Nevertheless your message appears to be sent from Antispam.domain.com.

You may want to change your pointer (PTR type) DNS record and the host name of your server to the same value.

Here are the tested values for this check:
IP: 83.83.83.10
HELO: Antispam.domain.com
rDNS: mail.domain.com

Your hostname Antispam.domain.com is assigned to a server.
We check if there is a server (A Record) behind your hostname Antispam.domain.com.
A records (Antispam.domain.com) : 
83.83.83.12

Your message could be improved
Checks whether your message is well formatted or not.
Weight of the HTML version of your message: 2KB.
Your message contains 30% of text.
You have no images in your message
Your content is safe
We didn't find short URLs
Your message does not contain a List-Unsubscribe header
The List-Unsubscribe header is required if you send mass emails, it enables the user to easily unsubscribe from your mailing list.
Your message does not contain a List-Unsubscribe header

Open in new window

0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41725129
Thanks, that's good progress.

Looks like your answer is to adjust your PTR / rDNS record to antispam.domain.com instead of mail.domain.com, then try the test again.
0
 

Author Comment

by:Rami Mansour
ID: 41725600
I should add one more PTR record or I will change the mail .domain,com to antispam.domain.com

I will share with you the Domain DNS Configurations could you pls advise in regard
0
 
LVL 5

Expert Comment

by:Mdlinnett
ID: 41725760
Out of interest, what is your Exchange Send Connector advertising itself as?

You can only have one ptr record per up address so, as things currently stand, you would need to update your existing ptr for 83.83.83.10 to antispam.Domain.com.
0
 

Author Comment

by:Rami Mansour
ID: 41726432
I did and still showing Reverse DNS does not match SMTP Banner. in order, now the remaining on the  mail-tester is the following:


Your message is not signed with DKIM
DomainKeys Identified Mail (DKIM) is a method for associating a domain name to an email message, thereby allowing a person, role, or organization to claim some responsibility for the message.

--------------------------------------------------------------
The body of your message contains errors
        Checks whether your message is well formatted or not.
                    Weight of the HTML version of your message: 27KB.
                    Your message contains 5% of text.
We found 2 images without alt attribute in your message body
       ALT attributes provide a textual alternative to your images.
        [list=1]It is a useful fallback for people suffering from sight problems and for cases where your images cannot be displayed.
<img border="0" width="42" height="53" id="Picture_x0020_6" src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIf IiEmKzcvJik0KSEiMEExNDk7Pj4+JS5ESU[/list]
        [list]<img border="0" width="479" height="43" id="Picture_x0020_11" src="data:image/jpeg;base64,/9j/4AAQSkZJRgABAQEAYABgAAD/2wBDAAoHBwgHBgoICAgLCgoLDhgQDg0NDh0VFhEYIx8lJCIf IiEmKzcvJik0KSEiMEExNDk7Pj4+JS5E
If you don't want to add an alt attribute, add an empty one: alt=""
[/list]

Your message does not contain a List-Unsubscribe header
          The List-Unsubscribe header is required if you send mass emails, it enables the user to easily unsubscribe from your               mailing list.
           Your message does not contain a List-Unsubscribe header

Open in new window



In addition, I was facing an issue Some messages cannot be delivered successfully to certain domains. It's going to junk folders  such as Gmail, Hotmail the and the below found when I check the message header the following noted:


Forefront Antispam Report Header– 
Language	en
Spam Confidence Level	5
Spam Filtering Verdict	SPM
HELO/EHLO String	BLU004-MC1F24.hotmail.com

Open in new window

0
 

Accepted Solution

by:
Rami Mansour earned 0 total points
ID: 41745929
I have solved this was the ESMTP inspection on the ASA firewall
0
 

Author Closing Comment

by:Rami Mansour
ID: 41751801
it is working with me
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what you should include to make the best professional email signature for your organization.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question