Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Reverse DNS does not match SMTP Banner
  •  
eXtremer

Messages: 59
Karma: 0
Send a private message to this user
Hi all.

I have one mail server and 2 internet providers, one IP resolves to mail.XXX.com and the other IP resolves to mail2.XXX.com

The internet hostname in Kerio is set to: mail.XXX.com

For the fist IP (mail.XXX.com) - Reverse DNS matches SMTP Banner.
But for the second IP (mail2.XXX.com) - Reverse DNS does not match SMTP Banner


How to deal with this situation ?

Thank you in advance.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Why is it a situation? Are your mails rejected?
  •  
eXtremer

Messages: 59
Karma: 0
Send a private message to this user
I got this error in the log:

[09/Feb/2011 14:34:14] Recv: Queue-ID: 4d5289c6-00000a6a, Service: SMTP, From: <user@mail.com>, To: <suser<_at_>eeeemail.com>, Size: 3026, Sender-Host: 192.168.0.160
[09/Feb/2011 14:34:17] Sent: Queue-ID: 4d5289c6-00000a6a, Recipient: <suser<_at_>eeeemail.com>, Result: delayed, Status: 4.1.1 421 Refused. Your reverse DNS entry does not resolve.
[09/Feb/2011 14:34:17] Sent: Queue-ID: 4d5289c6-00000a69, Recipient: <suser<_at_>eeeemail.com>, Result: delayed, Status: 4.1.1 421 Refused. Your reverse DNS entry does not resolve.
[09/Feb/2011 14:36:13] Sent: Queue-ID: 4d5289c6-00000a69, Recipient: <suser<_at_>eeeemail.com>, Result: delayed, Status: 4.1.1 421 Refused. Your reverse DNS entry does not resolve.
[09/Feb/2011 14:40:17] Sent: Queue-ID: 4d5289c6-00000a6a, Recipient: <suser<_at_>eeeemail.com>, Result: delayed, Status: 4.1.1 421 Refused. Your reverse DNS entry does not resolve.
[09/Feb/2011 14:42:13] Sent: Queue-ID: 4d5289c6-00000a69, Recipient: <suser<_at_>eeeemail.com>, Result: delayed, Status: 4.1.1 421 Refused. Your reverse DNS entry does not resolve.
[09/Feb/2011 14:46:18] Sent: Queue-ID: 4d5289c6-00000a6a, Recipient: <suser<_at_>eeeemail.com>, Result: delayed, Status: 4.1.1 421 Refused. Your reverse DNS entry does not resolve.
[09/Feb/2011 14:48:20] Sent: Queue-ID: 4d5289c6-00000a69, Recipient: <suser<_at_>eeeemail.com>, Result: relayed, Status: 2.0.0


The mail still went after several retries.

So I'm thinking maybe it tried to send with the second Provider (IP) that "Reverse DNS does not match SMTP Banner" ?
Another thing is that at that moment I didn't have internet with the second provider for about 15-20 min.
I'm not sure what caused this error from both cases...

[Updated on: Fri, 11 February 2011 08:02]

  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
If the ISP's DNS was unavailable the moment the receiving mail server tried to reverse-resolve your IP, it would have gotten back an error. The receiver was smart enough to throw a soft error, and when the DNS was back online, your IP reverse-resolved and the mail got through.

However, this is just guesswork since your post is too obfuscated to be of any use.

Another thing: the reverse entries for your IPs are in two different name servers. Having both IPs reverse-resolve to the same hostname shouldn't be a problem.
  •  
eXtremer

Messages: 59
Karma: 0
Send a private message to this user
TorW wrote on Fri, 11 February 2011 09:29
Having both IPs reverse-resolve to the same hostname shouldn't be a problem.


No.
One IP resolves to mail.XXX.com, and the second resolves to mail2.XXX.com
Why ? because there is just one server.

mail.XXX.com (first provider) - MX 0
mail2.XXX.com (second provider) - MX 10

If I'll put both IP's on MX 0 and with the same hostname, then there is a possibility that messages will not be received by my server, if one of the provider will be down and it will be the first to respond to nslookup. But if I have MX 0 and MX 10 I will still get my mail.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Reverse name resolution have nothing to do with MX records, MX priorities, the SMTP protocol or ISP's up- or downtime. They are merely a DNS PTR record pointing to a hostname. Think it through one more time, and the solution should be pretty obvious ...
  •  
eXtremer

Messages: 59
Karma: 0
Send a private message to this user
So you're saying that I should get both IP's resolve to mail.XXX.com ?
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Yes. Both IP addresses can be set up to point to the same hostname. When a remote MTA looks up the PTR record for 10.0.0.1 it will get "host.domain.tld" as the answer. When the same MTA looks up 10.1.0.1 (your other IP) it will get the same answer, only from a different DNS.

Point is: the PTR records (the reverse name) will always come from the DNS belonging to the ISP who have allocated you the IPs.

Example. Reverse-resolving my personal mail server (not a Kerio server) is done like this in OS X/Linux. The DNS system works out who to ask with recursion:
# host 80.203.228.237
237.228.203.80.in-addr.arpa domain name pointer loop.break-left.org.


Then the other way around:
# host loop.break-left.org
loop.break-left.org has address 80.203.228.237


If we ask another name server specifically (Google's public one), it doesn't know about it:
# host <_at_>google-public-dns-a.google.com 80.203.228.237
;; connection timed out; no servers could be reached

[Updated on: Fri, 11 February 2011 15:32]

  •  
eXtremer

Messages: 59
Karma: 0
Send a private message to this user
Just one thing, you can't have to MX records in the DNS with the same host.domain!


This is what I'm talking about, this is wrong =>

@ 3600 MX0 host.domain.tld
@ 3600 MX10 host.domain.tld

Not wrong:

@ 3600 MX0 host.domain.tld
@ 3600 MX10 host2.domain.tld

  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
The reason your mails bounce have nothing to do with your MX records. Put whatever you like in them. Did you (try to) understand my message above?
  •  
eXtremer

Messages: 59
Karma: 0
Send a private message to this user
TorW wrote on Fri, 11 February 2011 16:44
The reason your mails bounce have nothing to do with your MX records. Put whatever you like in them. Did you (try to) understand my message above?


I wasn't talking abut the error in my log now, it was a general statement. How should I avoid such a thing from now on, havinf both IP's with the same hostname is not a solution in my case.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Assuming you want a backup MX record for the same mail server on a different ISP, your problem is solvable with the tools and setup you already have.

I.e. you can have two MX records and two internet hostnames, and still make other MTAs be able to do a reverse lookup on your server. Focus on what's possible, not on what's not.
  •  
elias

Messages: 114
Karma: 0
Send a private message to this user
eXtremer wrote on Fri, 11 February 2011 09:19
I wasn't talking abut the error in my log now, it was a general statement. How should I avoid such a thing from now on, havinf both IP's with the same hostname is not a solution in my case.

It doesn't matter what the hostnames are or if they're the same. What matters is that the forward and reverse DNS records match.

If you have:

mail1.domain.com with IP 10.10.10.10
and
mail2.domain.com with IP 20.20.20.20

Then what matters is that looking up 10.10.10.10 returns mail1.domain.com and looking up 20.20.20.20 returns mail2.domain.com.

Your log tells you exactly what you need to know:
Quote:
Result: delayed, Status: 4.1.1 421 Refused. Your reverse DNS entry does not resolve.

While the message could be generic based on whatever mail server it is, it does seem specific; when it tried to look up 20.20.20.20, it didn't get a answer at all. It could also potentially mean that it got a hostname back, but it wasn't mail2.domain.com. Either way, that's where your problem lies.

The solution is to contact both ISPs and make sure they have the correct hostnames in their reverse records so that when mail servers look up your IPs, they get the correct hostnames back.

-Elias
  •  
eXtremer

Messages: 59
Karma: 0
Send a private message to this user
Ok guys, I'll see what to do, thank for your help.
Previous Topic: Problem with Outlook Offline Connector - schedule
Next Topic: KBC 7.1.3
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Sep 21 19:42:55 CEST 2017

Total time taken to generate the page: 0.00538 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.