locked
Reverse DNS does not match SMTP Banner RRS feed

  • Question

  • We've been getting complaints (since we upgraded from Exchange 2007 to Exchange 2010) from our users stating that sometimes email doesn't arrive at its destination so i decided to do a SMTP scan using http://mxtoolbox.com/SuperTool.aspx and i get the following information...

     

    Company name and IP address changed

     

    220 servername.company.local ESMTP Service ready

     OK - 188.201.xxx.xxx resolves to mail.company.com
     Warning - Reverse DNS does not match SMTP Banner
     0 seconds - Good on Connection time
    Not an open relay.
     5.897 seconds - Warning on Transaction time

     

     

    I states that my Reverse DNS does not match my SMTP banner, shouldn't this be "220 mail.company.com ESMTP" insted of "220 servername.company.local ESMTP" ..?

     

    And if so how do i correct this on my Exchange Server..?

    Tuesday, January 31, 2012 3:21 PM

All replies

  • Have you looked at the settings of your Send and Default Receive connectors?  On the Default Receive connector, look at the value for "Specify the FQDN..." and see if it matches the external name.  On the Send Connector, look for the exact same value.

    Also, if you look on MXToolBox.com and check the PTR for the mail server as well.  Just run "ptr:188.201.xxx.xxx" where you put your domain name in the first time for testing.  See if the results match with what you expect it to be.


    JAUCG
    • Proposed as answer by RSsebagala Thursday, May 16, 2013 9:38 AM
    Thursday, February 2, 2012 4:49 AM
  • In Exchange 2010, follow these to check on your Exchange Server:

     

    The send connector:

    EMC->Organization Configuration->Hub Transport->Send Connectors->choose the send connector->properties->General tab->type the A record domain name you created to the Fully Qualified Domain Name(FQDN)->OK

     

    Also follow that to check for the receive connector (receive connector is under EMC->Server Configuration->Hub Transport).

     

    Thanks,


    Evan


    Evan Liu

    TechNet Community Support

    Thursday, February 2, 2012 9:23 AM
    Moderator
  • JAUCG,

    When i do an ""ptr:188.201.xxx.xxx" via MXToolbox.com i get...

    PTR 188.201.xxx.xxx mail.COMPANY.com 24 hrs

    This looks like it should be correct.

    Tuesday, February 7, 2012 9:33 AM
  • OK.  But take a look at your Send and Receive?  You need to check the FQDN on those connectors. Take a look at the locations Evan Liu pointed out in the reply above yours.


    JAUCG

    Tuesday, February 7, 2012 2:36 PM
  • Hi Evan,

    I've checked the send and recive connector...

    Send Connector there are 2, both are enabled

    • Default SERVERNAME - FQDN:  SERVERNAME.DCNAME.local - Route to the folowing smart hosts: 195.121.6.52 - Source Server: SERVERNAME, DCNAME.local/configuration/Sites/Default-First-Site_Name
    • mail.COMPANY.com - FQDN:  mail.COMPANY.com - Route to the folowing smart hosts: 195.121.6.52 - Source Server: SERVERNAME, DCNAME.local/configuration/Sites/Default-First-Site_Name

    Recieve Connector there are 3, all three are enabled

    • Client SERVERNAME - FQDN:  mail.COMPANY.com - Network: IPv4 port 587, IPv6 port 587 - Permission Groups: Exchange Users
    • Default SERVERNAME - FQDN:  SERVERNAME.DCNAME.local - Network: IPv4 port 25, IPv6 port 25 - Permission Groups: Anonymous Users, Exchange Users, Exchange Servers, Legacy Exchange Servers
    • Relay Internal Applications - FQDN:  mail.COMPANYNAME.com - Network: IPv4 port 25 - Permission Groups: Anonymous Users, Exchange Users, Exchange Servers, Legacy Exchange Servers

    Bold text has been edited.

    Please keep in mind that i have had no ICT training, i'm doing ICT withing our company next to my onw job because our ICT guy got himself fired.

    Thanks for the help so far...  :)

    Tuesday, February 7, 2012 3:32 PM
  • Disable the first send connector.  I'm guessing you have a single Exchange 2010 with CAS-HT-MBX configuration.  I'm guessing you have outbound filtering.

    Also change the default receive connector to mail.company.com,  The relay one I'm going to guess is for printers or other devices.

    Wednesday, February 8, 2012 8:23 PM
  • Agreed.  This is where the issue was from the beginning as I had noted in my original reply to your post.


    JAUCG

    Wednesday, February 8, 2012 8:53 PM
  • Any updates on this?

    JAUCG

    Friday, February 24, 2012 4:30 PM
  • Check the headers on some of the emails your sending out. I recently had this issue and after checking the FQDN (as recommended above) and the ptr records (with my dns provider) were both correct, found that if your headers include internal server names and IP's, MXToolbox will fail on the Reverse DNS matching SMTB Banner test. You can use the 'Analyze Headers' tool on the MXToolbox site if you need.

    To remove the headers make a transport rule. Depending on if your using EdgeSync or not will determine where you make the rule.

    For single server installs:

    Go to Exchange Management Console ->Organization Configuration -> Hub Transport ->Transport Rules and then create a new transport rule.

    Conditions: Sent to Users Outside the organization
    Actions: Remove Header: 'Received'
    Exceptions: None

    For environments with an Edge server:

    On the Edge server go to Exchange Managment Console -> Edge Transport ->Transport Rules and then create a new transport rule.

    Conditions: From users that are inside the organization
    Actions: Remove Header: 'Received'
    Exceptions: None

    FYI... If you want to get rid of the Warning on Transation time test also, go and check your tarpitinterval. It's probably on its default value of 5s.


    • Edited by Ricky N Wednesday, March 21, 2012 4:22 AM Correction
    Wednesday, March 21, 2012 4:13 AM
  • Any updates?

    JAUCG


    Friday, March 23, 2012 6:29 PM
  • Please check & confirm the following points to resolve the issue.

    Assigning an IP address

    Starting from the bottom up the first thing you need to do is assign a static external IP address to the internal private address of your mail server. You will need to apply these rules on your firewall to port forward SMTP (port 25) and NAT an external IP address to the internal address of the server.

    Something that a lot of administrators forget to do or check is to set the outgoing NAT rule to use the same external IP address created for the inbound rule to the mail server. If this isn't set, Reverse DNS will not match and in turn your mail server will be listed on blacklists. If your firewall rules are setup correctly the IP address listed on this page should be the same IP address you mapped to the internal private IP address of the mail server.

    Create the MX records for your mail server

    For the purpose of this example, listed below are all the details of my mail server to help you understand what you need to do.

    External IP: 87.22.1.22

    E-Mail Domain: domain.com

    You will need to be an administrative contact for your External DNS provider for your domain to make these changes. In most cases this can be done through an online control panel through your DNS provider. Failing that on the phone or via E-Mail.

    1. The first thing we need to do is create an A record to point to the external IP address mapped on your firewall to the mail server. The host A record can be called any thing but is commonly called "mail". In our example we will create "mail.domain.com" to point to IP address "87.22.1.22"

    2. Next we will create an MX record to point to the newly created A record of our mail server.

    Within your DNS control panel select "add MX record". Make sure that the host address is the root domain name in our case "domain.com"

    Set the FQDN as the A record we just created which in our case is "mail.domain.com".

    The lowest property is the most preferred but in our example we will set the priority as 10.

    Use NSlookup to check DNS and MX records are applied

    It can take up to 48 hours for DNS to propagate but in most cases 12-24 hours. To check our DNS entries are applied and correct we can use nslookup.

    1. Open a CMD prompt and type nslookup

    2. Type set type=mx

    3. Type the domain name which in our case is domain.com.

    In our example the output should read as follows if correctly setup:

    > domain.com

    Non-authoritative answer:

    domain.com MX preference = 10, mail exchanger = mail.domain.com

    mail.domain.com internet address = 87.22.1.22

    Configure Reverse DNS

    Reverse DNS is used to verify that the mail server is who it says it is. The recipients mail server will do a reverse lookup to make sure that the IP address of the mail A or host record in DNS is the same as the IP address it is communicating with. Only 1 RDNS entry can be present per IP address.

    To do this you will need to contact your ISP to make this entry. You will not be able to do this in your DNS control panel unless your ISP also host your DNS and give you the functionality to add your own RDNS records.

    In our case we would contact our ISP and advise that we would like to create an RDNS entry for our IP address 87.22.1.22 which would resolve too mail.domain.com.

    Verify Reverse DNS

    Again it can take up to 48 hours for DNS to propagate but in most cases 12-24 hours. To verify that the RDNS entries have been added and are correct do the following:

    1. Open a CMD prompt.

    2. Type Ping -a 87.22.1.22 (This is the external IP address for your mail server. In our case we use our external IP address stated above)

    If RDNS is configured correctly the following output will be shown:

    C:UsersUser>ping -a 87.22.1.22

    Pinging mail.domain.com [87.22.1.22] with 32 bytes of data:

    SMTP Banner

    Every time a mail server establishes a connection with your mail server it shows its SMTP banner. This banner must be resolvable on the internet and best practice is to have it as your mail host/A record.

    Configure SMTP banner Exchange 2010

    1. Open the Exchange management console.

    2. Select the Organisation Configuration container.

    3. Select Hub Transport container.

    4. On the right select the Send Connectors tab.

    5. Right click your send connector and select properties.

    6. On the General tab under the Set the FQDN this connector will... type the A record domain name you created. Which in our case is mail.domain.com. Click OK.

    7. Under the Server Configuration container click the Hub Transport container.

    8. In the Right window Select the properties of the Receive Connector under Receive Connectors tab.

    9. On the General tab under the Set the FQDN this connector will... type the A record domain name you created. Which in our case is mail.domain.com. Click OK

    To verify these changes we can use telnet to view the output upon establishing a connection on port 25 to our mail server. Use the following steps to do this:

    1. Open a CMD prompt

    2. Type Telnet mail.domain.com 25.

    The output you see should look something like this and contain your A record of your mail server:

    220 mail.domain.com Microsoft ESMTP MAIL Service ready at Sun, 28 Feb 2

    010 17:51:20 +0000

    If you use an edge server or a SPAM filter appliance like a Barracuda the SMTP banner will have to be set on this device/server.

    Check to see if your mail server is on spam lists and/or an open relay

    A great website to use to check your MX records, RDNS, check if your mail server is an open relay and check to see if you are listed on spam lists is www.mxtoolbox.com. This is a great site and one to keep in your favourites.

    Link: http://ezinearticles.com/?Configure-Exchange-E-Mail-Server-Reverse-DNS-and-MX-Records-Correctly&id=3844191

    Saturday, March 24, 2012 6:19 PM
  • Thanks Yogesh Surve

    Question one:

    " Configure Reverse DNS

    Reverse DNS is used to verify that the mail server is who it says it is. The recipients mail server will do a reverse lookup to make sure that the IP address of the mail A or host record in DNS is the same as the IP address it is communicating with. Only 1 RDNS entry can be present per IP address. "

    if i have 02 domain name abc.com and xyz.com with one IP 87.22.1.22.  When ISP created RDNS mail.abc.com  <-> 87.22.1.22 . mail.xyz.com <->87.22.1.22.

    any problem in this case with my email.

    Question two:

    "

    SMTP Banner

    Every time a mail server establishes a connection with your mail server it shows its SMTP banner. This banner must be resolvable on the internet and best practice is to have it as your mail host/A record.

    Configure SMTP banner Exchange 2010

    1. Open the Exchange management console.

    2. Select the Organisation Configuration container.

    3. Select Hub Transport container.

    4. On the right select the Send Connectors tab.

    5. Right click your send connector and select properties.

    6. On the General tab under the Set the FQDN this connector will... type the A record domain name you created. Which in our case is mail.domain.com. Click OK.

    7. Under the Server Configuration container click the Hub Transport container.

    8. In the Right window Select the properties of the Receive Connector under Receive Connectors tab.

    9. On the General tab under the Set the FQDN this connector will... type the A record domain name you created. Which in our case is mail.domain.com. Click OK

    "

    What i can do when i have got 2 domain name . mail.abc.com , mail.xyz.com

    How to set FQDN?

    please help me.

    Hung


    • Edited by Mr Hung - Monday, May 7, 2012 8:58 AM
    Monday, May 7, 2012 8:55 AM
  • So if your email server hosts multiple email domains on one IP address how do you configure your Reverse DNS? Is the Reverse DNS entry supposed to reflect the email domain that is sending the email or just the FQDN of the email server (independent of the email domains)?

    Stephen

    Monday, May 21, 2012 2:28 PM
  • Any update I have the same problem I have 4 domains names how do need to configure the SMTP banner??

    Monday, February 4, 2013 2:27 PM
  • your Issue in the PTR record, if you register your Exchange domain with any provider like godaddy.com you will couldn't create your PTR record on Godaddy they will tell you must create the PTR record with your ISP provider that provide you with Exchange Real IP.

    at all it's not big issue. 

    Monday, May 27, 2013 12:56 PM
  • Thanks. What about if I have 2 IP addresses used for the one exchange server?

    I can see the Specify the FQDN of the connector would be mail1.example.com for the first MX record mail1.example.com

    but what about the other MX record mail2.example.com?

    Regards

    Peter


    Yours from Peter @ simplicity.je JERSEY

    Friday, July 26, 2013 4:16 PM
  • Any update I have the same problem I have 4 domains names how do need to configure the SMTP banner??

    Run this command in exchange shell:

    Set-ReceiveConnector "NAME OF RECEIVE CONNECTOR" -Banner "220 MAIL.DOMAIN.COM"

    telnet in to your mail server's IP on port 25 before and after and you will see the change....

    Sunday, September 1, 2013 6:01 PM
  • Set-ReceiveConnector "Default Frontend server" -Banner "220 mail.Contoso.com"

    Thursday, March 5, 2015 12:54 PM