Email rejected due to DNS resolution problem

[Vachaun22]

I've stumbled onto a semi annoying error/reject message coming from, so far, only one other domain. Now personally, I think that this other domain is doing a bit excessive spam checking as the mail server is doing a reverse dns resolution to check for valid email, but here's the problem.

We have 2 mail servers at our company. One mail server sits outside of network, on the internet which globally accepts mail for our domains. On the one domain, it simply pushes mail through to the exchange server for delivery. This is all well and good. The problem is sending mail. Our exchange users of course send their mail through the exchange server, which then sends the email off to their destinations. Since this server is on the inside of the network, it's computer name obviously doesn't resolve to our external IP address, which the reverse DNS will fail on.

The most convenient way to send the mail would be to simply remove the machine name from the headers. Which I'm probably going to assume isn't possible. The other, more involved way would be to make our external mail server the smart host.

Is there any other options that I can use to resolve this problem, because I'm sure eventually this problem will worsen.

 

[58sniper]

You must have, according to the RFC, a rDNS entry for any public IP address that sends email. The holder of the IP address (the ISP) needs to set it up.

If you can post the text of the NDR, that might help verify it the issue.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[Vachaun22]

Well, I don't have the actual NDR anymore. But the basic error message was to the extent of:

computer.domain.com does not resolve to XXX.XXX.XXX.XXX

and the mail was rejected.

Of course 'computer.domain.com' won't resolve to our IP address because it was on the inside of our network using our private IP addresses. What I've done at this point, was to alter the FQDN in the exchanger server setup to not have the computer name and so now shows email coming from domain.com which will resolve at this point to the correct IP address. I know that's not proper to do it this way, so I'm figuring I should set up the smarthost relay, which I'm a little leary on because of inadvertently opening the machine up to relaying.

Just have to do my research most likely.

 

[MrBurtal]

I do not know if this would help but you can masquerade domain to the name that the ip address the resolves to .

http://support.microsoft.com/default.aspx?scid=kb;en-us;314331&sd=tech

just a thought Johnny

 

[Vachaun22]

Well, what I did is change the FQDN to the FQDN of the external mail server. So, now the headers show that it originated from the external mail server, which will resolve, and of course it resolves properly inside the network because I have that DNS record on the server.

I guess my only question is, how outlandishly bad practice is it to have one of my mail servers completely masquerading as another one of my mail servers, right down to the machine name?

 

[strongm]

Bad practice? You're just following the requirements of the RFC ...

The SMTP client MUST, if possible, ensure that the domain parameter to the EHLO command is a valid principal host name

It's actually the people who reject you when the rDNS doesn't match who are in breach of the RFC (my bold in the following quote):

An SMTP server MAY verify that the domain name parameter in the EHLO command actually corresponds to the IP address of the client. However, the server MUST NOT refuse to accept a message for this reason if the verification fails: the information about verification failure is for logging and tracing only.

 

[58sniper]

That's true, but if the receiving server doesn't meet the first quoted requirement, then the sender shouldn't be forced to meet the second one.

I'm all for requiring a rDNS entry, and don't blame receiving servers for blocking inbound SMTP traffic if there isn't one.

RFC 2821

http://www.faqs.org/rfcs/rfc2821.html

A good read if you have plenty of caffeine.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[Grenage]

Even AOL no longer refuse e-mail based on a rDNS mismatch!

Back on topic:

Vachaun22: Is it possible for you to relay your mail through the external e-mail server, rather than send directly from your internal one?


Carlsberg don't run I.T departments, but if they did they'd probably be more fun.

 

[58sniper]

The problem with that is your delivery receipts are generated by the smart host instead of the destination server.

Pat Richard, MCSE(2) MCSA:Messaging, CNA(2)

 

[strongm]

Given that read receipts and delivery receipts are basically a waste of time that may not be a problem ...

 

[Vachaun22]

Well, that's one of the things I was considering doing was creating a smarthost and having that send the email instead of the exchange server directly. The only reason I didn't want to do that was that server has enough work load as it is being our primary MX, firewall, webserver, etc. Of course when I had the exchange server masq. as the FQDN of the other server, that just created a mail loop which was no good. So as of right now, it's just showing the domain name without a machine name, which will resolve correctly, but not preferrable.

I'm guessing at this point, my only real option is going with the smarthost. So, I'll have to do some research on configuration. Thanks again for everyone's help and suggestions.