Announcement

Collapse
No announcement yet.

DNS & MX record trouble

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • DNS & MX record trouble

    Hello folks.
    I have recently been called to check on a standard exchange 2007 server which it was getting blacklisted due probably to using a smarthost on the ISP who is blacklisted on the entire range of the ip used to send mail. So I ve reverted to using the best practiced MX record. ie 10.10.10.14.
    2 Days later, customer rings and complaints that the server gets blacklisted on his router address 10.10.11.12 and its host name "staticdslrouters.routername.isp.net" ! The mail header shows cleanly that this is the address used and not the MX records'...
    The customer has the following setup on the ISP
    A pool of 8 static ip's (10.10.10.10 to .17)which he can only use them as long as he uses the 10.10.11.12 router address.
    An A record pointing to one of the 8 addresses :
    ie mail.company.com - 10.10.10.14.
    the MX record that points to mail.company.com

    So , I ve got setup my mail exchange "right" according to the isp...


    Now, the "internal" AD structure is a somewhat "funky".
    The main AD domain is set up as "internal.company.com" (Netbios name is INTERNAL) . The parent zone "company.com" is not anywhere in AD nor DNS.
    The guy who built the AD there built it like this there is no redundant domain or anything. He said to the customer "since you ll be using company.com for your outside domain , I ll set up the internal.company.com here" ....

    The most troubling , though, is that he is getting in the BL's due to misconfiguration of the MX record side....

    There is not an option to configure the customer's router with the mx record's IP so to rid of the problem. You see ISP sais 'you got to use this ip to have the octet of addresses'.
    So , we do. but when we do, barracuda black lists us , probably because we use a different IP for the MX and a different IP for the sender server .
    As a last resort, should I use the router's IP as the MX record as you describe in your article here, which is a method I always try to use myself.
    ISP is beyond communication I m affraid as they will not admit to any fault whatsoever...
    What are we doing "wrong" if any?
    Thanks in advance for any advice.

  • #2
    Re: DNS & MX record trouble

    Maybe it is just me but after the first alinea I stopped reading.

    Try to clarify your question, I cant make heads or Tails from this, you sound like our local helpdesk(they try but they never give me the info I need either).

    Things like "where" did the blacklisting occur are important, we are not your nework administrators so we do not know your current configuration. Also my ball crystal ball has seemed to stop working due to some abuse from my side..
    Please give points where appropriate

    <I dont create ready scripts for you, but I'm willing to point you in the right direction>

    Comment


    • #3
      Re: DNS &amp; MX record trouble

      Originally posted by Silver23 View Post
      Maybe it is just me but after the first alinea I stopped reading.

      Try to clarify your question, I cant make heads or Tails from this, you sound like our local helpdesk(they try but they never give me the info I need either).

      Things like "where" did the blacklisting occur are important, we are not your nework administrators so we do not know your current configuration. Also my ball crystal ball has seemed to stop working due to some abuse from my side..
      Thanks for pointing me to the right direction. Now send me the form I need to complete to communicate with you.... Or I could send you my helpdesk ticket through OTRS?

      Things like "where" did the blacklisting occur...
      As you could not read further than the first line, is hard to employ your crystal ball. Its barracuda.org the customer got blacklisted.
      The question was as simple as "what am I doing wrong" in setting up the transport and / or the router. And to my best of my abilities I tried to describe the problem I was facing.
      Network setups cannot be given easily , specially if you are a freelancer trying to work in different environments all the time, so , experience taught me to not ask for them , I got bored getting nocando's for an answer.
      Should this garbled mass of information is useless to you , I do have a problem stating a question , so I must seek professional help for it.
      But as you see I am the curteous one here. Maybe you should seek some advice on people handling skills....
      Sorry to have troubled your precious eyes so far.
      I appreciate mockery as much as the next guy. Lifts my spirit up.
      The not-so-worthy-to-look-at-your-face humble freelancer.

      PS I m quite good at fixing Crystal Balls... maybe we could find a common ground...
      Last edited by azangr; 3rd February 2010, 19:44.

      Comment


      • #4
        Re: DNS &amp; MX record trouble

        Just a friendly reminder to keep things professional here.....

        Azangr -- I'm slightly confused about your use of private IP ranges 10.x.x.x -- are these assigned by your ISP?
        If so, the issue will be with their public addresses as they must be using NAT between their clients and the internet
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: DNS &amp; MX record trouble

          Originally posted by Ossian View Post
          Just a friendly reminder to keep things professional here.....

          Azangr -- I'm slightly confused about your use of private IP ranges 10.x.x.x -- are these assigned by your ISP?
          If so, the issue will be with their public addresses as they must be using NAT between their clients and the internet
          I always try to be curteous and professional Ossian , I post in a lot of social networking media , so its my 1st thing to try and achieve.
          I believe the confusion arose because I did not make very clear that the private addresses shown are just examples of some real ip's , ie like 72.52.147.187. I used the 10 range for simplicity reasons. Just pretend its a real internet IP .
          Sorry if I confused anyone on this. Maybe an unfortunate pick of an example since Cisco adores its private range of 10...

          Comment


          • #6
            Re: DNS &amp; MX record trouble

            Thanks for the clarification -- its just that some ISPs DO use private address ranges

            AFAIK you will have to submit "your" IP to the blacklists (each of them in turn) until you are clear
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: DNS &amp; MX record trouble

              courteous or simply polite. Well that maybe your definition then.

              I was just giving friendly advice. I just like being slightly cynical. must be my line of work. Since you are not one of my customers I dont NEED to help you. But as a fellow IT Consultant I like to help people same as I like to receive some from time to time.

              Since you are the one asking for help. I think you should be polite, even when others are not begging you to give you some assistance.

              Back on topic. If I get your story correctly a delisting would not help you much, since you keep getting listed again pretty soon on another ip address your customer has available. Am I correct so far ?

              If so then the best step would be to check why you get listed by barracuda. Im not familiar with barracuda. But usually people get blacklisted because an unusual amount of mails is being sent in a very short time or the ip is on a list for dynamic ip's or you have an open relay. Also it is possible your reverse dns is being checked, which when it doesnt correspond to the correct e-mail address gets you blacklisted.

              There are more causes to getting blacklisted, but If I were you, I would read their website, and find out what they check for and how you got on their blacklist. If you cannot find out, try phoning/mailing them.

              Internal DNS should not be a huge problem. It's just very inconvenient.

              If my conclusion is wrong then either I did not read your story very well or you didnt make it clear enough. I dont really care which.

              Hope to have helped you, if not I guess I wont see the difference on my paycheck anyways ..
              Please give points where appropriate

              <I dont create ready scripts for you, but I'm willing to point you in the right direction>

              Comment


              • #8
                Re: DNS &amp; MX record trouble

                Strange what a huge number of phone calls can do with 8 IPs.....
                Since my 1st post , I ve been in constant contact with the customer's integrator who has been on the phone for about 10 hours in total with the ISP .
                Looks like the 8-ip range that was given to the customer 'was not doing what it was supposed to' in human terms. ie the MX record IP was not "pointing" properly to the router's IP. So we ve been sending emails claiming to be the MX record but the sender ip was the router one. Which is a classic. No?


                My command of English is not that good but I was always under the impression that courteous > polite and polite is not same as submisive. This is something you need to check master Silver... . I wish I had the time to explain to you the joys of being nice to people regardless , and not because of any interest involved but , alas, I m affraid you are not willing to understand. If every time I post here I ll need to pass your compliance test , then I would not. Such expressions are just .. err cocky... I do apologize for my behavior but I feel insulted by Silver's attitude towards people he doesn't understand.
                And If i had your Visa number I could send you 20p for your effort.
                So that your paycheck could differentiate a bit. And see that you get some joy from aiding the retarded guy whos asking for assistance ....
                And try Paintball. Lets a lot of vent out.

                Azan - Banned

                Mods, ever so soz.

                Comment


                • #9
                  Re: DNS &amp; MX record trouble

                  Originally posted by azangr View Post
                  The guy who built the AD there built it like this there is no redundant domain or anything. He said to the customer "since you ll be using company.com for your outside domain , I ll set up the internal.company.com here" ....p
                  Just so you know, there's not really anything wrong with using that naming scheme. In fact, it's what Microsoft recommends. I can't think of anything that could be bad about creating an "internal.company.com" subdomain.


                  Originally posted by azangr View Post
                  There is not an option to configure the customer's router with the mx record's IP so to rid of the problem. You see ISP sais 'you got to use this ip to have the octet of addresses'.
                  So , we do. but when we do, barracuda black lists us , probably because we use a different IP for the MX and a different IP for the sender server .
                  Using different IPs for MX records and sending records isn't going to earn you a blacklisting. Sending spam out is, however, going to earn you a blacklisting. What I would recommend is making a firewall rule that blocks all outbound SMTP traffic unless it's coming from your internal mail server. That prevents viruses on PCs from spewing spam across the internet and earning your external IP a blacklisting. Furthermore, you should have some kind of outbound email scrubber that inspects all email that your server sends. More on that in a minute...

                  Originally posted by azangr View Post
                  As a last resort, should I use the router's IP as the MX record as you describe in your article here, which is a method I always try to use myself.
                  ISP is beyond communication I m affraid as they will not admit to any fault whatsoever...
                  What are we doing "wrong" if any?
                  Thanks in advance for any advice.
                  If you want to receive email directly to your email server, then yes. However, you could look into getting a secure SMTP relay server (known as a "Smart Host" in the Exchange world) like what you were using from your ISP (only this time get a SMTP relay that isn't blacklisted ) or a spam/virus filtering service like Postini or Symantec's Message Labs. Services like Postini act as your mail server's Smart Host and can scan your outbound messages for spam and viruses and quarantine them as well as inbound messages.

                  If you use a Smart Host like Postini, create a firewall rule that is even more restrictive: only SMTP traffic from your email server to the Smart Host is accepted, and vice versa. This will also prevent users from checking other email services like their personal email... which may or may not be acceptable. You may have to make small exceptions here and there.

                  Hope that helps.
                  Wesley David
                  LinkedIn | Careers 2.0
                  -------------------------------
                  Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                  Vendor Neutral Certifications: CWNA
                  Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                  Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                  Comment


                  • #10
                    Re: DNS &amp; MX record trouble

                    Originally posted by Nonapeptide View Post
                    Just so you know, there's not really anything wrong with using that naming scheme. In fact, it's what Microsoft recommends. I can't think of anything that could be bad about creating an "internal.company.com" subdomain.
                    I remember reading that one quite a while back. Did not really employed it so I ve forgotten it completely. I always used to setup domains using local conventions.
                    Could I use the isp's DNS to "manage" the "internal" zone, even to some extent?
                    Using different IPs for MX records and sending records isn't going to earn you a blacklisting. Sending spam out is, however, going to earn you a blacklisting. What I would recommend is making a firewall rule that blocks all outbound SMTP traffic unless it's coming from your internal mail server. That prevents viruses on PCs from spewing spam across the internet and earning your external IP a blacklisting....
                    We ve rectified that 2 days ago, just so we could strengthen overall security measures.
                    If you want to receive email directly to your email server, then yes. However, you could look into getting a secure SMTP relay server (known as a "Smart Host" in the Exchange world) like what you were using from your ISP (only this time get a SMTP relay that isn't blacklisted ) or a spam/virus filtering service like Postini or Symantec's Message Labs. Services like Postini act as your mail server's Smart Host and can scan your outbound messages for spam and viruses and quarantine them as well as inbound messages.
                    If you use a Smart Host like Postini, create a firewall rule that is even more restrictive: only SMTP traffic from your email server to the Smart Host is accepted, and vice versa. This will also prevent users from checking other email services like their personal email... which may or may not be acceptable. You may have to make small exceptions here and there.
                    Hope that helps.
                    It did indeed. Eye opening and reassuring. I ll investigate the smart host idea and be free from the isp's one.
                    Thanks Nonapeptide.

                    Comment


                    • #11
                      Re: DNS &amp; MX record trouble

                      Originally posted by azangr View Post
                      Could I use the isp's DNS to "manage" the "internal" zone, even to some extent?
                      No, you never want a non Domain Controller managing your DNS (I suppose there are some exceptions that you could make... but I digress). The internal zone should be managed by domain controllers and, in my mind, there really shouldn't be a need for externally accessible records for any internal devices. I'm sure exceptions exist.
                      Wesley David
                      LinkedIn | Careers 2.0
                      -------------------------------
                      Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                      Vendor Neutral Certifications: CWNA
                      Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                      Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                      Comment


                      • #12
                        Re: DNS &amp; MX record trouble

                        Thanks again Nonapeptide

                        Comment

                        Working...
                        X