1

I have to make decision whether my Reverse DNS should match SMTP banner but Reverse DNS to DNS and vice versa stays different or vice versa. Which one to choose?

I have an 2x Exchange 2010 server with one SMTP Sender with TMG 2010. TMG has 2 links connected so that we have 2 separate internet providers. The problem is I have no way to control TMG behavior on which link is used to send emails as it picks it randomly.

I have 2 MX records: - mail.test.com which resolves to IP and IP resolves to mail.test.com - mail2.test.com which resolves to IP2 and IP2 resolves to mail.test.com

This was done to prevent smtp banner issues but it provides problems with Reverse DNS if the server on the other side is eager enough to do comparison. But I've checked with Google and they also don't have that in perfect condition.

MadBoy
  • 3,725
  • 15
  • 63
  • 94

2 Answers2

3

If you have to choose between the two match rDNS to A-record so both IPs still have FcRDNS, but make sure the hostname presented in the smtp banner is resolvable as well (choose one of the two hostnames). Broken FcRDNS is way worse than SMTP banner not matching rDNS.

Alternatively, you could get rid of the 2nd hostname alltogether and you wouldn't have any mismatch at all

  • ditch mail2.test.com A and MX record
  • make TWO A-records for mail.test.com (one for each ip)
  • set rDNS PTR for both IP's to mail.test.com
  • set smtp banner (HELO) to mail.test.com

with that solution you'd have the best of both worlds. HELO / A / PTR would match in every case and you'd still have MX loadbalancing/failover:

from rfc5321:

The destination host (perhaps taken from the preferred MX record) may be multihomed, in which case the domain name resolver will return a
list of alternative IP addresses. [...] and the SMTP sender MUST try them in the order presented.

Community
  • 1
Gryphius
  • 2,720
  • 1
  • 19
  • 19
  • Your alternative solution makes Round Robin DNS in which case one MX goes down it's possible that one server will try to deliver it for loong wile since every time it may try down ip instead of the working one (depending on which DNS will serve). I thought about it but it's just a bit more pain then it is now. – MadBoy Jul 04 '12 at 17:52
  • 1
    nope, not round robin dns. the A lookup returns both IPs at the same time. The sending server will try one of them randomly and if its down automatically use the other. – Gryphius Jul 04 '12 at 18:13
  • I have added the relevant rfc section that describes sending to mx record with multiple target ips – Gryphius Jul 04 '12 at 18:35
  • Oh, interesting. Didn't knew that – MadBoy Jul 04 '12 at 22:19
  • do you still leave MX 10 MX 20 and both point to mx.test.com or you just leave one? – MadBoy Jul 05 '12 at 14:49
  • you just leave one – Gryphius Jul 05 '12 at 14:53
  • Gryphius I'm having some doubts. I've set it like you said and all tools like mxtoolbox.com report just one IP address on smtp testing. If the ip address will go down will it switch to to the other? – MadBoy Jul 12 '12 at 19:50
  • in the "domain lookup", mxtoolbox shows only one random smtp ip. if you click on the hostname(or enter a:mail.test.com in the query field), it must show both adresses. if this is not the case, your dns a record is not set up correctly – Gryphius Jul 13 '12 at 04:37
  • It shows both. And it seems to switch from one to other every now and then when testing with mxtoolbox. – MadBoy Jul 13 '12 at 08:00
2

I understand your pain, but keep in mind what RFC5321 states:

An SMTP server MAY verify that the domain name argument in the EHLO command actually corresponds to the IP address of the client. However, if the verification fails, the server MUST NOT refuse to accept a message on that basis. Information captured in the verification attempt is for logging and tracing purposes. Note that this prohibition applies to the matching of the parameter to its IP address only; see Section 7.9 for a more extensive discussion of rejecting incoming connections or mail messages.

So keep the precise correspondence between mail.test.com <-> IP1 and mail2.test.com <-> IP2 and try to inform receiving sites that block this that they should be more graceful on tht one.

adamo
  • 6,925
  • 3
  • 30
  • 58