2

I'm running a dovecot/postfix mail server on debian and am having some issues. Everything is working fine except all emails to @aol.com are being deferred.

The error code gave me: "The Reverse DNS lookup for your IP address is failing."

I'm running a site (I'll be calling it site.com in this post) on server A. I'm then running this mail server on server B. I have a mail.site.com A record pointing to server B in my domains DNS, as well as an MX record pointing to mail.site.com.

I've set the PTR record of my mail server to site.com and this is the dig output:

*I've substituted 60.70.80.90 for the IP of my mail server

AND 1.2.3.4 as my main server IP

dig -x 60.70.80.90 @8.8.8.8

; <<>> DiG 9.3.6-P1-RedHat-9.3.6-20.P1.el5_8.6 <<>> -x 60.70.80.90 @8.8.8.8
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48367
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;90.80.70.60.in-addr.arpa.  IN      PTR

;; ANSWER SECTION:
90.80.70.60.in-addr.arpa. 21599 IN  PTR     site.com.

;; Query time: 58 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jul 22 14:30:23 2014
;; MSG SIZE  rcvd: 75

In site.com's domain DNS settings I have:

A  | site.com  -> 1.2.3.4 (main server ip) 
A  | mail.site.com -> 60.70.80.90 (mail server ip)
MX | mail.site.com -> mail.site.com

I don't have any SPF or TXT records. When I ping mail.site.com it correctly returns the IP of my mail server.

Why am I still getting bounce backs?

SOLUTION:

I changed 

MX | mail.site.com -> mail.site.com

to

MX | site.com -> mail.site.com

Also, as @sebix suggested I had to confirm my HELO was set as mail.site.com (it was set to site.com) as well as confirm my PTR of my mail server was set to mail.site.com (it was set to site.com)

Jonny07
  • 123
  • 6

2 Answers2

3

The quick search directs you to the AOL Postmaster where error 421 should have been followed by an additional error code indicating the actual reason your connection is (temporarily) rejected:

421 DNS:NR
    The Reverse DNS lookup for your IP address is failing.

421 RLY:B3
     The IP address you are sending from has been temporarily rate limited due 
     poor reputation.

421 RLY:CH
     A computer or computer(s) on your network may be compromised and is sending mail 
     that matches the signature of known spam.

421 RLY:CH2
    Your IP address has generated AOL member complaints 

421 RLY:NW
    The IP address you are sending from has been temporarily rate limited because the 
    IP is new or has been idle for a long time

421 RLY:SN
    This error indicates you are sending email using a disallowed AOL.COM screenname as 
    your FROM or REPLY-TO address

etc. etc.

Edit after adding the complete error response: 421 DNS:NR to your question we can conclude the Reverse DNS lookup for your IP address is failing.

Typically you need to contact your hosting provider to set up a correct reverse DNS record for the ip-address of your mail server (serverB). A simple check with dig -x <your-ip> @8.8.8.8 should return 7.8.9.10-.in-addr.arpa. 599 IN PTR mail.example.com where mail.example.com is of course the correct hostname of serverB.

HBruijn
  • 77,029
  • 24
  • 135
  • 201
  • Sorry I should have included that. It's the first one. 421 DNS:NR "The Reverse DNS lookup for your IP address is failing." But if you ping site.com, it will resolve to the IP of my main server, not my mail server.. If my mail was on the same server as site, I wouldn't have this issue, but I guess I'm confused as to how you run a separate mail server without having this problem. – Jonny07 Jul 22 '14 at 15:25
  • 1
    Does `dig -x @8.8.8.8` return a correct reverse DNS record? And check [AOL's own trouble shooting page](http://postmaster.aol.com/Postmaster.Troubleshooting.php) – HBruijn Jul 22 '14 at 15:28
  • I've updated my question with the dig output. – Jonny07 Jul 22 '14 at 15:38
  • And from that we see that no, your mail server does **not** have a valid PTR record. Get Digital Ocean to fix that. – MadHatter Jul 22 '14 at 15:39
  • 1
    https://www.digitalocean.com/community/questions/how-do-you-update-reverse-dns – HBruijn Jul 22 '14 at 15:42
  • I've updated my PTR record at digitlocean (mail server host) to mail.mysite.com Will it take some time to propigate? Because dig still isn't showing a valid PTR record. – Jonny07 Jul 22 '14 at 16:18
  • UPDATE: Nevermind it just needed a few minutes to update. I've updated my post with the most recent dig response. So I should be good to go now? – Jonny07 Jul 22 '14 at 16:21
  • @HBruijn, My host told me to set my mailserver's PTR to site.com, not mail.site.com. I've changed it and updated my post with the dig. Thoughts? – Jonny07 Jul 22 '14 at 18:51
1

Yes, you need to make sure that

  1. Your HELO string is a domain that resolves to your IP.
  2. There is a PTR record for the IP of your sending mailserver that resolves to that domain.

The domain in the PTR and your helo must correspond. It's not exactly according to RFCs, but large providers such as AOL have been expecting it for a long time. It does help spam prevention.

Felix Frank
  • 3,093
  • 1
  • 16
  • 22
  • I edited your answer and clarified which IP is important and that PTR and Helo should correspond. If you don't agree, don't hesitate to revert my additions. – sebix Jul 22 '14 at 16:05
  • I've updated my PTR record at digitlocean (mail server host) to mail.mysite.com Will it take some time to propigate? Because dig still isn't showing a valid PTR record. – Jonny07 Jul 22 '14 at 16:18
  • UPDATE: Nevermind it just needed a few minutes to update. I've updated my post with the most recent dig response. So I should be good to go now? – Jonny07 Jul 22 '14 at 16:20
  • The obfuscation isn't exactly helpful, but from what I gather, the PTR you created is for the IP of the server **not** doing SMTP, so I don't see how it's going to be helpful. – Felix Frank Jul 22 '14 at 16:23
  • I agree with @FelixFrank It's only about your mailserver and it's IP. Except for the SPF-Record of your main site is, is has nothing to do for the mail transfers. That's exactly what I pointed out in this answer above. You also mixed up the IPs in your dig-result, you are showing in your question. – sebix Jul 22 '14 at 16:36
  • I've updated the post. If you could please have a look I'd appreciate it. – Jonny07 Jul 22 '14 at 18:50
  • Your DNS does not adhere to what I suggested. You need `HELO = mail.site.com` and `PTR = mail.site.com`. - Once you're fixed up, AOL will also take a while to unlist you. – Felix Frank Jul 22 '14 at 19:55
  • And after correcting the PTR, create an MX-Record for `site.com` pointing to `mail.site.com`, otherwise you @Jonny07 won't get any mails from outside ;) – sebix Jul 22 '14 at 20:08
  • @sebix: Thanks so much for the help. I made the changes, unfortunately now I'm getting an auto bounce "unknown user" when I try to send an email. I changed my MX record to what you suggested, but should I have kept my old mail.mysite -> mail.mysite MX record too? – Jonny07 Jul 22 '14 at 20:46
  • FIXED! I've updated my main post with the final solution. Thanks @sebix!! – Jonny07 Jul 22 '14 at 20:57