1

Topic: SMTP Reverse DNS Mismatch

==== Required information ====
- iRedMail version: 0.9.0
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Apache
- Linux/BSD distribution name and version: Debian 7
- Related log if you're reporting an issue:
====

Hello,

I believe others have asked this question before but sometimes OPs did not respond to suggestions or further questions from the community, so no resolution was found.

I have a single server set up to serve multiple domains, email delivery for these is working but when I test with mxtoolbox, I receive this message:


"SMTP Reverse DNS Mismatch     Warning - Reverse DNS does not match SMTP Banner

Connecting to <public IP address>

220 <internalhostname.domainAAA.com> ESMTP Postfix (Debian/GNU) [1310 ms]
EHLO MXTB-PWS3.mxtoolbox.com
250-<internalhostname.domainAAA.com>
250-PIPELINING
250-SIZE 15728640
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN [749 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 2.1.0 Ok [749 ms]
RCPT TO: <test@example.com>
554 5.7.1 <test@example.com>: Relay access denied [1482 ms]

MXTB-PWS3v2 5210ms"


My server's hostname is equivalent to internalhostname.domainAAA.com.

Each domain has a record for mail.domainXXX.com and each domain has a dedicated IP address.

PTR entries exist for "mail.domainXXX.com." to each public IP.

Each domain has MX records to point to mail.domainXXX.com, ie mail.domainBBB.com, mail.domainCCC.com


If I run the test against these domains, each responds with internalhostname.domainAAA.com which is incorrect even for domainAAA.com as it should be mail.domainAAA.com.


If I understand correctly, when a mail server delivers mail to another server which serves multiple domains, it should specify the domain it is delivering for (example domainGGG.com), and the receiving server should reply to each connection as mail.domainGGG.com. If the email was for domainHHH.com, the response would be mail.domainHHH.com, etc.

Could anyone advise how I might achieve this in iRedMail? Thank you.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: SMTP Reverse DNS Mismatch

You'll have to set up multiple listeners (daemons) (one per ip) predefined with the correct helo/ehlo setting. Smtp has no knowledge of the host used for the connection unfortunately
Edit:
You're asking about outbound. I wrote a tutorial that does this. It's basically sending from multiple IPs and with each IP you can change the name it uses. http://iredmail.org/docs/send.out.email … esses.html
The smtp_helo_name is the parameter you'll want to make sure matches your ptr rDNS

3 (edited by jsmith 2015-04-26 04:56:43)

Re: SMTP Reverse DNS Mismatch

7t3chguy wrote:

You'll have to set up multiple listeners (daemons) (one per ip) predefined with the correct helo/ehlo setting. Smtp has no knowledge of the host used for the connection unfortunately


Thank you for the advice. I am very new to setting up mail servers and have only a little experience with Linux in general.

What would you suggest? Is it necessary to achieve what I describe or am I just trying to tick all the boxes on the test for the sake of it?

Edit - sorry I missed your edit, thank you I will look in to it.

4

Re: SMTP Reverse DNS Mismatch

Some mail servers do not like the rDNS not matching as it often implies spam so I'd do it just in case. Ignore the top piece I wrote, just read the edit bit please

5

Re: SMTP Reverse DNS Mismatch

Hi 7t3chguy,

Thank you again for this and apologies I have not responded recently. I am just trying this now, could I ask you to confirm if this is correct? Your guide said to refer to examples but  wasn't sure if I understood:

....

Create a file "/etc/postfix/sdd_transport.pcre" containing:

/@111\.com$/   sample-smtp:
/@222\.net$/   sample-smtp:


Append to  /etc/postfix/master.cf:

sample-smtp     unix -       -       n       -       -       smtp
    -o smtp_bind_address=111.111.111.111
    -o smtp_helo_name=mail.111.com


sample-smtp     unix -       -       n       -       -       smtp
    -o smtp_bind_address=222.222.222.222
    -o smtp_helo_name=mail.222.net

6

Re: SMTP Reverse DNS Mismatch

its right but they need different identifiers
name them like {domain without extension}-smtp instead of sample-smtp
and in sdd_transport.pcre you'll need to use the correct one instead of all of them being sample-smtp

7

Re: SMTP Reverse DNS Mismatch

Like so?


Create a file "/etc/postfix/sdd_transport.pcre" containing:

/@111\.com$/   111-smtp:
/@222\.net$/   222-smtp:

Append to  /etc/postfix/master.cf:

111-smtp     unix -       -       n       -       -       smtp
    -o smtp_bind_address=111.111.111.111
    -o smtp_helo_name=mail.111.com

222-smtp     unix -       -       n       -       -       smtp
    -o smtp_bind_address=222.222.222.222
    -o smtp_helo_name=mail.222.net

8

Re: SMTP Reverse DNS Mismatch

Yes
don't forget this line in main.cf though
sender_dependent_default_transport_maps = pcre:/etc/postfix/sdd_transport.pcre

9

Re: SMTP Reverse DNS Mismatch

Thank you very much and yes I had done that first part sorry I should have been more clear - "...." was meant to indicate "I have done everything up to this point but need help with the following" in my earlier post.

That said it doesn't appear to be working for me even after restarting the service and the server. The first domain passes the mxtoolbox SMTP diag as I deliberately named the server "mail.firstdomain.com", so of course it responds as such. The second domain still responds with the same "mail.firstdomain.com".

10

Re: SMTP Reverse DNS Mismatch

This is for outbound. MXToolBox tests inbound, the setup for that would be additional to have the Banner change depending on which IP you connect through

11

Re: SMTP Reverse DNS Mismatch

Recipient Servers care about the part you've just done more than about the part you are missing.

12

Re: SMTP Reverse DNS Mismatch

AH! Thank you, I think I understand now.

So I have achieved what I hoped for but you mean the mxtoolbox SMTP test is the wrong tool to test the changes you suggested? I must have confused us both by telling you what I wanted but also mentioning the mxtoolbox test, I think you edited an earlier post when you realised what I meant was different to what I was saying.

Ok, I checked the properties of an email I had sent to myself at another address. I now realise that although it looks as if the server is giving the correct response, it still doesn't seem right to me but not due to iRedMail. My ISP assigned me some static IPs (lets say 111.222.333.100 to 111.222.333.200), I have created virtual IPs on my firewall to listen for the additional IP address traffic and NAT'd rules to the internal servers, and I have mapped hostnames to PTR records, but of course whatever DNS records I set up all of my outgoing emails still appear to come from 111.222.333.100, the first public IP address.

I suppose I need to force the outgoing traffic out of each domain's assigned IP address, but as I say not a job for iRedMail. Thank you again for all your help.

13

Re: SMTP Reverse DNS Mismatch

/@111\.com$/   111-smtp:
/@222\.net$/   222-smtp:
Append to  /etc/postfix/master.cf:
111-smtp     unix -       -       n       -       -       smtp
    -o smtp_bind_address=111.111.111.111
    -o smtp_helo_name=mail.111.com
222-smtp     unix -       -       n       -       -       smtp
    -o smtp_bind_address=222.222.222.222
    -o smtp_helo_name=mail.222.net

Controls which IP is being used for outbound traffic.
Any domain matching /@222\.net$/ will be sent out of 222.222.222.222 with the HELO name of mail.222.net

14

Re: SMTP Reverse DNS Mismatch

I still must be missing something in my understanding then. My network is behind a NAT firewall, and all hosts behind it have internal IP addresses. I do not see how "mail.domain.com" can claim or bind to 111.222.333.100 when its IP address is 192.168.0.100, it has no ownership of the external IP.

Now that I am explaining it this seems obvious to me and I apologise for not being clear, I think I need to configure my firewall to directly present 111.222.333.100 to an internal host, then I can see how your advice would come in to play.

15

Re: SMTP Reverse DNS Mismatch

Yeah you'll have to, or give your host multiple internals and have the Nat firewall translate them properly accordingly

16

Re: SMTP Reverse DNS Mismatch

7t3chguy wrote:

.......or give your host multiple internals and have the Nat firewall translate them properly accordingly

Thanks again, I had just begun researching how to achieve this and you have narrowed down my choices (and suggested the method that seemed most secure). I do appreciate all your help and patience.

17

Re: SMTP Reverse DNS Mismatch

No problem, glad I could help