Announcement

Collapse
No announcement yet.

Reverse DNS name does not match domain name

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Reverse DNS name does not match domain name

    Hi,

    My customer, called, say, "xyz" has configured their Exchange 2003 to send outgoing mail by DNS rather than by using a smarthost. They correctly did this because their smarthost contract expired, and outgoing mail failed. As soon as they changed to use DNS to send mail, it all worked as expected. So far so good.

    The ISP hosting the ADSL broadband line has a reverse DNS record, that points mail.xyz.plusnet.com to the fixed public IP address for xyz's Internet connection.

    The Active directory domain name is xyz.local

    The email addresses all end in xyz.co.uk so this does not match the rDNS of mail.xtz.plusnet.com.

    Question1 If, during the SMTP conversation, the recipient's server does a reverse lookup on their IP address, and finds "mail.xyz.plusnet.com" and finds that the email came from the domain xyz.co.uk, is the recipient's mail server going to complain that they don't match?

    Question 2 My understanding is that it should not matter that they do not match. However, if I wanted to ensure that the domain name that is announced by xyz's Exchange server purely for the purposes of the SMTP conversation appears to be mail.xyz.plusnet.com how do I configure Exchange to do that?

    I do not want "mail.xyz.plusnet.com" to appear anywhere else, i.e. I don't want that name showing up in any email address, I simply need to use that name in the HELO part of the SMTP conversation so a reverse DNS lookup matches the domain name that is announced.

    Thank you.
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

  • #2
    Re: Reverse DNS name does not match domain name

    q1>if its exchange 2k7 with spam then yes it will but you can set a rule to let it through(or disable rdns checks)
    q2>your exchange wont know about the reverse dns unless its in your dns server(as it wont ask anyone else unless your forwarders are messed up), the foreign mail server/client will though. make sure your internal/external addresses are correct, use cnames and mx records in your dns

    not having actual access to the system this is just a guess but id do some internal/external tesing while checking the message headers. you could ask the isp to remove their reverse dns(ms quite often use a dummy value in theirs)...(its only used when someone on the net enters your ip to eg check spam(scl)levels)...ping from inside and outside to see whats resolved both by ip and domain.

    i may have misunderstood. im sure some other forum users will have a definate answer until then the above wouldnt hurt to draw a clearer picture



    i just re-read your post - reverse dns goes from ip to name, dns is name to ip
    Last edited by SML; 14th May 2008, 15:22.

    Comment


    • #3
      Re: Reverse DNS name does not match domain name

      Reverse Domain Name System Lookups
      If you receive messages directly from other domains on the Internet, you can configure your SMTP virtual server to perform a reverse Domain Name System (DNS) lookup on incoming e-mail messages. This verifies that the Internet Protocol (IP) address and fully qualified domain name (FQDN) of the sender's mail server corresponds to the domain name listed in the message.

      Question1 If, during the SMTP conversation, the recipient's server does a reverse lookup on their IP address, and finds "mail.xyz.plusnet.com" and finds that the email came from the domain xyz.co.uk, is the recipient's mail server going to complain that they don't match?
      Yes, it will.

      Question 2 My understanding is that it should not matter that they do not match. However, if I wanted to ensure that the domain name that is announced by xyz's Exchange server purely for the purposes of the SMTP conversation appears to be mail.xyz.plusnet.com how do I configure Exchange to do that?
      http://www.microsoft.com/downloads/d...displaylang=en
      [Powershell]
      Start-DayDream
      Set-Location Malibu Beach
      Get-Drink
      Lay-Back
      Start-Sleep
      ....
      Wake-Up!
      Resume-Service
      Write-Warning
      [/Powershell]

      BLOG: Therealshrimp.blogspot.com

      Comment


      • #4
        Re: Reverse DNS name does not match domain name

        Hi SML:

        Thanks for your input - I forgot to say it is Exchange 2003.

        What I'm referring to is mail going out of my xyz.co.uk mail server, and the scenario where other people's mail servers do a rDNS lookup on mine. Therefore, changing my own rDNS lookup won't affect things.

        Regarding your re-read, I should rephrase perhaps by saying that when someone does an rDNS on the public IP address, they get back mail.xyz.plusnet.com
        Last edited by PaulH; 14th May 2008, 15:41.
        Best wishes,
        PaulH.
        MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

        Comment


        • #5
          Re: Reverse DNS name does not match domain name

          Hi Killerbe,

          Many thanks for that useful info. Since posting last, I have also found this: http://www.amset.info/exchange/dnsconfig.asp

          The man at Amset is, I believe, a respected member of this forum (can't remember his name, I'm sorry to say) and here the article says I should put mail.xyz.plusnet.com in the Fully Qualified Domain Name part of the advanced properties of the "Delivery" section of the Default SMTP Virtual Server.

          Would doing that, bearing in mind that it is not to be seen in any other context, show the name mail.xyz.plusnet.com anywhere else?

          After all, that string, mailxyz.plusnet.com is meaningless to everyone except for the rDNS procedure part of things.
          Best wishes,
          PaulH.
          MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

          Comment


          • #6
            Re: Reverse DNS name does not match domain name

            Hi SML,

            Thanks for that.

            Originally posted by SML
            ... how many people are going to check and understand an emails header?
            Well, I thought that email servers which had their tickbox "Perform reverse dns check" ticked did do just that.
            Best wishes,
            PaulH.
            MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

            Comment


            • #7
              Re: Reverse DNS name does not match domain name

              if you made a send connector to relay from your exchange to the isp's then its reverse dns will not trigger a scl. the fqdn is whatever your ip resolves to externally(and internally for the internal one).

              eg/
              petri.co.il 's message source gives;

              Received: from host1.bluewhaleweb.com (72.52.147.186) by serv001.sml.local
              (10.0.0.10) with Microsoft SMTP Server (TLS) id 8.1.240.5; Wed, 14 May 2008
              16:28:52 +0100
              Received: (qmail 23631 invoked by uid 4; 14 May 2008 15:28:48 -0000
              Date: Wed, 14 May 2008 15:28:48 +0000

              as the send connector is set to relay through host1.bluewhaleweb.com

              set it up and look at some test mails to see exactly what your getting, different configs give different levels of info

              Comment


              • #8
                Re: Reverse DNS name does not match domain name

                Ok, so I think what you're saying also is that:
                A receiving server which does a rDNS lookup will not complain if the rDNS lookup comes back with a domain name that does not match the sender's email domain name.

                That makes sense to me, but I keep reading all over the place that they should match. Hmmm....
                Best wishes,
                PaulH.
                MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                Comment


                • #9
                  Re: Reverse DNS name does not match domain name

                  exchange 2k7(and aol...) may still give you grief but

                  as long as the last server in the mail route (the 1st ip in the mesage header)has a valid rdns then its ok - so you route through your isp's if possible

                  or
                  have static ip's and do the name resolution yourself(have your dns/router as the domain registered ip)

                  Comment


                  • #10
                    Re: Reverse DNS name does not match domain name

                    amset.info is my work.

                    Reverse DNS is quite simple. Basically the name on the SMTP banner needs to resolve. The IP address needs to have a reverse DNS address that resolves back to the same host. However it does not have to be in the same domain that you are hosting email for.

                    For example, your email domain could be example.co.uk but all the DNS records are for mail.example.net. That is fine. It will be accepted. The reverse DNS lookup as an antispam test is confirming the server is legitimate.

                    The perform reverse DNS lookup setting in Exchange is close to useless. Don't bother with it. However other sites will use it - AOL.com is the main one that causes problems if it isn't set.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment


                    • #11
                      Re: Reverse DNS name does not match domain name

                      Hi Simon,

                      Thank you - for your concise answer and for your work at amset.info - brilliant stuff.
                      Best wishes,
                      PaulH.
                      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

                      Comment

                      Working...
                      X