RDNS validation failure
Hey everyone,
I need help with changing info, adding or correcting something from an initial AD and Exchange setup.
We are getting DNR’s when sending to some addresses. Why did this lake so long to surface????
If AD had been setup as xxxxx.org as the AD domain this would be a no brainier I believe, as the mail server would have the correct FQDN and matching
machine name. Since it does not changes are required to allow the proper flow of email. I can’t tell you about the initial setup or why it’s here and I need to deal with it.
Our AD domain is xxx.local with our Exchange Server having a FQDN of Exchange.xxx.local.
Our registered domain is xxxxx.org.
xxx.local and xxxxx.org don’t match so when a receiving mail server tries to validate RDNS it fails.
Many of you have likely seen this before. I edited the email server name and IP for security.
<exchange.xxx.local #5.7.1 smtp;554 5.7.1 <unknown[xxx.144.30.xxx]>: Client host rejected: rDNS/DNS_validation_failed.
Should our ISP create a PTR for us? Should it show
xxx.30.144.xxx.in-addr.arpa PTR
exchange.xxxxx.org?
Should I also use Masquerade domain entry on the SMTP advanced delivery options? If so I believe it would show Exchange.xxxxx.org
Thanks for getting me straightened out!
August 24th, 2010 7:56pm
Some version information would help here.
The name of your Exchange server and WINDOWS domain is completely immaterial.
All you need to do is ask your ISP to set the PTR record on your ISP to mail.example.com (where mail.example.com is a DNS record that points to your Exchange server).
Don't touch the masquerade domain value. The only other thing you need to change is the FQDN. For Exchange 2003 this is on the SMTP virtual server, under Advanced. For Exchange 2007 it is on the send connector.
http://www.amset.info/exchange/dnsconfig.asp
Simon.Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2010 12:16am
Sembee,
Exchange 03 on server 03 std. Preparing to transition to Exchange 2010 on 08 r2.
There was no A or PTR. We changed ISP's about 8 months ago, that may be the reason this is failing now, the old ISP may have had all this info and the new one does not.
So you say set the PTR to what the internal FQDN of Exchange.xxx.local is or the External FQDN of Excahnge.xxxxx.org? I could only imagine it has to be the external name as the .local name is not routable. Too many of these posts do not fully explain the
correct setup and what records need to be updated and by who.
You say don't touch the masquerade domain value? I already had and it currently shows Exchange.xxxxx.org. Are you saying that the masquerade domain value should match the PTR that the ISP creates or that there should be a blank entry?
What about an A record for Exchange.xxxxx.org?
Since our domain is hosted somewere other than our ISP should the domain host also create similar A and PTR records so when a lookup occurs they will be found on the host's name servers?
Also I should note that the ISP has updated the PTR and it fails with this error so something is still missing.
xxx.144.30.xxx is the public facing IP that our mail server is at.
DNS Server Response: exchange.xxxxx.org
Reverse DNS is BAD for IP address: xxx.144.30.xxx this
August 25th, 2010 1:33am
If the change in ISPs occurred 8 months ago I am surprised this hasn't caught you out before now. A PTR record is almost mandatory for any email server on the Internet if you want reliable outbound email delivery.
The PTR record needs to be what the server is known as to the Internet. Using your internal name isn't going to work because that doesn't resolve on the Internet. Basically the remote server is looking to see if the DNS and PTR record both resolve, ideally
to the same place.
The article I have posted above is mine, and I believe explains exactly who needs to update what.
On a default installation the masquerade domain is blank and it should be left blank. The circumstances that require it to be changed are not very common and there is nothing in your post to indicate that you are in that small group.
Simon.Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2010 6:46pm
Simon,
Please respond to what you see from this messager header
Incoming mail header info below.
X-Originating-IP: [xxx.144.30.xxx] this is correct
Received: from exchange.xxx.local (exchange.xxxxx.org [xxx.144.30.xxx] (may be forged))
Please tell me which name should be showing up? exchange.xxx.local or exchange.xxxxx.org? They are both showing.
It seems to me the one with the .local should not show up yet it is the internal name of our mail server and it is not routable so there is no way to verify the address via an A or PTR record.
No info you or anyone else is posting is clearly demonstrating how a mail server on a .local domain with mail routed to another destination on the MX record. What should be configured and which records shoud say what.
I really wish someone could show or demonstrate all necessary info completely without omissions or missing details.
The closest I have seen is this site, but some info is missing in regard to A & PTR records.
http://www.outlookexchange.com/articles/JasonSherry/sherry_c20p1.asp
Please take note to this: If you do not set the masquerading domain name, Exchange will use the AD domain name for server. "altered.local" and pinky.altered.local for the FQDN for example. Both of these are invalid on the Internet
and would trigger most spam filtering software.
This is the reason a masquerad domain name is necessary on the mail server and I believe your info is incorrect stating it should be left blank.
Our PTR exists for exchange.xxxxx.org and is correctand is in our ISP's DNS
Our Web host is responsible to the host A record since they are the SOA on record for our domain.
I have sent them a formal request to create the A record for exchange.xxxxx.org pointing to xxx.144.30.xxx, however since they are not responsible for that IP I am not sure they can.
Who is responsible for creating the A record? The ISP or the SOA
At least if we can get the A record it should validate the PTR. I just need to know how to get our email server configured so it removes the .local section of the server name and only leaves the routable FQDN.
August 27th, 2010 12:15am
Hi CJlindel,
-> X-Originating-IP: [xxx.144.30.xxx] this is correct
Received: from exchange.xxx.local (exchange.xxxxx.org [xxx.144.30.xxx] (may be forged))
Please tell me which name should be showing up? exchange.xxx.local or exchange.xxxxx.org? They are both showing.
A: It would show your exchange server FQDN, if your server is exchange.xxx.local, sure, it would be showed as it.
Per your description, your local domain is xxx.local, and you want your external smtp address use xxx.org, right?
If so, I would add other one recipient policy set the xxx.org as the authoritative domain.
And then, you could let the ISP add a PTR record for the xxx.org.
If I misunderstand your issue please tell me.
Regards!
Gavin
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2010 9:32am
Better news and almost how I'd like it setup! Mail is no lnoger being rejected.
The PTR and A recods must both be active as the result below is good!
DNS Server Response: exchange.xxxxx.org
Reverse DNS is GOOD for IP address: xxx.144.30.xxx
You want your external smtp address use xxx.org, right?
YES
If so, I would add other one recipient policy set the xxx.org as the authoritative domain.
HOW
And then, you could let the ISP add a PTR record for the xxx.org
Already done
Mail result from this morning still shows exchange.xxx.local, is there any way that can get changed in the config, if so how and where?
---- The original headers appear below this line ----
Received: from exchange.xxx.local (exchange.xxxxx.org [xxx.144.30.xxx])
by mxi7p.craigslist.org (Postfix) with ESMTP id 471C05EE48
August 27th, 2010 5:51pm
I answered that in both the posting and the link I provided above. You have to change the FQDN value.
Simon.Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
Free Windows Admin Tool Kit Click here and download it now
August 27th, 2010 8:02pm
Hi CJlindell,
If you just want your external smtp address use xxx.org, why care the message header, that is, the external received domain would see your send domain as xxx.org, and for the inbound email, the meessage header would show the all smtp node FQDN that the message
go through.
About how to add one recipient policy you could refer to:
http://support.microsoft.com/kb/260973
Regards!
Gavin
August 30th, 2010 9:38am
Simon,
Though you try to help and post answers or links to answer questions sometimes the person who is asking for help needs a bit more info or clarity and providing the exact info in an example would clear up any confusion. Your examples say to not insert
a masquerad domain name, hence it is not exact and confusing.
We all learn and proces data differently, however our goals are all the same in most cases which is to manage our systems as efficiently as possible. When we have problems we need exact info that is not confusing in any way since the smallest details could
mean success or failure.
Free Windows Admin Tool Kit Click here and download it now
August 30th, 2010 10:47pm
I am not sure what is misleading about what I have posted.
Masquerade domain is very rarely set, it isn't usually used by Exchange. Exchange 2003 is built on top of the IIS SMTP, therefore some settings in the screens are not used by Exchange at all. I have been working with Exchange for over six years, have answered
1000s of questions on the topic and I cannot think of one time when masquerade domain needs to be configured.
As I have already said in both my answers and the article I linked to above, the only thing that you need to set is the FQDN value. Everything else is DNS related.
Simon.Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
September 1st, 2010 2:49pm
I am not sure what is misleading about what I have posted.
Masquerade domain is very rarely set, it isn't usually used by Exchange. Exchange 2003 is built on top of the IIS SMTP, therefore some settings in the screens are not used by Exchange at all. I have been working with Exchange for over six years, have answered
1000s of questions on the topic and I cannot think of one time when masquerade domain needs to be configured.
As I have already said in both my answers and the article I linked to above, the only thing that you need to set is the FQDN value. Everything else is DNS related.
Simon.
Simon Butler, Exchange MVP. http://blog.sembee.co.uk , http://exbpa.com/
Perhaps the Masquerade name isn't necessary in most cases. However with incoming being filetered at one location and our ISP being another location and having the domain initially setup as a .local instead of .org it requires a bit more planning and configuration
especially when there are no records of who did what and when. As you know chasing problems is what a lot of us do and fixing things that may have been misconfigured don't always jump out and say here I am fix me.
So it turns out that there had been an A record for us that was for a groupwise mail server that has been gone for years! When the MS domain was setup no one considered naming conventions or other exisiting records to update them as needed. This all went
unnoticed for many years.
YOU may have some great info to shre and have contributed to help many others, however I have not seen anyone clearly stating what to do when the setup is like ours, I had to fill in some bits and pieces myself.
Free Windows Admin Tool Kit Click here and download it now
September 1st, 2010 10:04pm