Gateway reverse lookup

Hi Everyone

What is the best practice for gateways. For example we got blacklisted a while ago and public ip is still blacklisted on spam rats. It says about reverse lookup not being setup

the exact message "Does IP Address comply with reverse hostname naming convention". While letting my isp know we were told to liase directly with spamrats which i did but the ip has not been given ok by spamrats. I think that they want us to set reverse DNS on gateway.

1) What is the best practice for gateways?
2) What happens if i give it a name with my domain? nnn.kkk.school.fj.
3) Does it interrupt my traffic?
4) Do i have to change my firewall rules based on the name change?
5) What all do i have to do to get this done?
6) What is the whole purpose of reverse dns on gateway as i was told by my ISP that they only setup if told by a customer to do so?
Member_2_6474242Senior Systems AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
if your  IP address is 1.2.3.4
and your mail server has the name mail.example.com  then
it should present itself  with: HELO mail.example.com
(from the ip address 1.2.3.4.....)

Then the remote mail server will lookup where the connect was from (ie. 1.2.3.4 and ask for the PTR 4.3.2.1.in-addr.arpa
and that answer SHOULD be mail.example.com  (only your ISP can arrange this reverse lookup....)

OTOH: if the ISP will not change then if the reverse lookup delivers... cust1234.isp.example.com  -- then maybe you need to  configure you mailserver to present cust1234.isp.example.com as the mailserver's name.

After this is fixed: lookinto SPF , DKIM & DMARC.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Blue Street TechLast KnightCommented:
1) What is the best practice for gateways?
Not sure what you are asking here.
2) What happens if i give it a name with my domain? nnn.kkk.school.fj.
Not sure what you are asking here again, but I belive noci addressed this.
3) Does it interrupt my traffic?
Nope!
4) Do i have to change my firewall rules based on the name change?
No.
5) What all do i have to do to get this done?
Your ISP needs to set this record so contact them to do so.
6) What is the whole purpose of reverse dns on gateway as i was told by my ISP that they only setup if told by a customer to do so?
Noci already answered this quite well!

Some other items you should consider to prevent blacklisting is:
• Remove all open relays
• SPF, DKIM & DMARC as noci stated.
• Consider offboarding your security & anti-spam engine to the cloud like Microsoft EOP (Exchange Online Protection) - it works for cloud, hybrid and on-premise Exchange environments.

Microsoft EOP is a cloud-based email filtering service that protects your company against spam & malware, and includes features to safeguard you from messaging-policy violations (like the one you got!). EOP can simplify the management of your messaging environment and alleviate many of the burdens that come with maintaining on-premises hardware & software, especially Sender IP-reputation. https://technet.microsoft.com/library/exchange-online-protection-service-description.aspx

There are others besides Microsoft EOP such as Google Postini, SonicWALL Hosted Email Security, Barracuda Spam, Cisco IronPort & so on but I prefer Microsoft EOP and its relatively inexpensive.

They all function similarly in that you use their IPs instead of your own so your liability & risk is shifted to them. You don't have to worry about getting your IP blacklisted and that halting your ability to function and send/receive mail because again the IPs you are sending from are not yours and they [the providers] are very diligent to make sure their IPs do not get blacklisted.
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
1) What is the best practice for gateways? example is it the right practice to setup reverse dns for gateways. if so why is it needed, Why have we been blacklisted based on gateway IP for reverse dns

2) What happens if i give it a name with my domain? Lets say my public ip is 1.2.3.4 if i tell my isp to setup  reverse dns of xxx.kkk.school.fj

What does it impact? what are the things to consider before doing it?
0
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.

Blue Street TechLast KnightCommented:
1) What is the best practice for gateways? example is it the right practice to setup reverse dns for gateways. if so why is it needed, Why have we been blacklisted based on gateway IP for reverse dns
Your IP for your mail host nnn.kkk.school.fj must have a PTR record setup by your ISP. When your mail server is queried it will respond with nnn.kkk.school.fj from IP: 1.1.1.1 (your actual Public IP address). Then the IP address (1.1.1.1) is queried to see if it actually points to your mail server (nnn.kkk.school.fj). If you don't have a PTR record setup by your ISP when someone queries your IP address it will not show that it belongs to nnn.kkk.school.fj. It is a form of a Trusted Chain. Does that make sense?
noci already answered this in comment: https:#a42480838

2) What happens if i give it a name with my domain? Lets say my public ip is 1.2.3.4 if i tell my isp to setup  reverse dns of xxx.kkk.school.fj
I explained this in my first response above!

What does it impact? what are the things to consider before doing it?
You should have done it when you setup the mail server. You should do it immediately - there is no harm only positives for you! ISPs take a long time to do anything submit that you want it ASAP!
0
Member_2_6474242Senior Systems AdministratorAuthor Commented:
Thanks
0
Blue Street TechLast KnightCommented:
You are welcome! Glad I could help and thanks for the points!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.