Reverse DNS for multiple mail domains on same server

[Victor Matei]

I am trying to understand how to properly setup the PTR records for our
company's Exchange server.
From my understanding, there can be only one PTR record for a host name,
which is required to comply with the rdns check done by many email systems.
Example: nslookup for 3.0.168.192.in-addr.arpa would return mail.dom-a.com
So if (e-mail address removed) hosted on same server sends mail, would it be
rejected by recipients checking this ?
I need to know what exactly to ask the ISP to do for me.

 

[Lanwench [MVP - Exchange]]

Since the Exchange server has only one host name, and one DNS name, and
you're sending from the Exchange server, it should be fine in most cases
unless the recipient server's admins are VERY picky. Frankly, a lot of small
clients I've worked with have PTRs that don't match the server's DNS name at
all - I think the presence of a PTR alone is enough in most cases.
Corrections welcome!

 

[Victor Matei]

I just got off the phone with the ISP, they said a single PTR record for the
public IP should suffice, mapped to one of the domain's host name.
I will keep an eye on email bounces to see if the issue alleviates.

"Lanwench [MVP - Exchange]"

 

[Herb Martin]

I just got off the phone with the ISP, they said a single PTR record for the
public IP should suffice, mapped to one of the domain's host name.
I will keep an eye on email bounces to see if the issue alleviates.

They are right. This is by necessity. The PTR must uniquely resolve
or you would get unpredictable results.

Set the EMAIL SMTP server "name" to match the PTR returned value
(or vice versa). This is about SENDING email and has nothing really
to do with which email domains you handle for RECEIVING email.

Example: An ISP sets up email for 1000 client customer with different
DNS zone/domain name but that ISP SMTP server can only have ONE
name -- this is the name given to the SMTP server confige AND placed
in the PTR value.

--
Herb Martin

"Lanwench [MVP - Exchange]"

Since the Exchange server has only one host name, and one DNS name, and
you're sending from the Exchange server, it should be fine in most cases
unless the recipient server's admins are VERY picky. Frankly, a lot of small
clients I've worked with have PTRs that don't match the server's DNS

name

at
all - I think the presence of a PTR alone is enough in most cases.
Corrections welcome!

 

[Sonny]

this is exactly what i was thinking... as long as a trust is there, numerous
subnets can use the same SMTP engine to send mail... the incoming mail can
then be routed accordingly.

I just got off the phone with the ISP, they said a single PTR record for the
public IP should suffice, mapped to one of the domain's host name.
I will keep an eye on email bounces to see if the issue alleviates.

They are right. This is by necessity. The PTR must uniquely resolve
or you would get unpredictable results.

Set the EMAIL SMTP server "name" to match the PTR returned value
(or vice versa). This is about SENDING email and has nothing really
to do with which email domains you handle for RECEIVING email.

Example: An ISP sets up email for 1000 client customer with different
DNS zone/domain name but that ISP SMTP server can only have ONE
name -- this is the name given to the SMTP server confige AND placed
in the PTR value.

--
Herb Martin

"Lanwench [MVP - Exchange]"

Since the Exchange server has only one host name, and one DNS name, and
you're sending from the Exchange server, it should be fine in most cases
unless the recipient server's admins are VERY picky. Frankly, a lot of small
clients I've worked with have PTRs that don't match the server's DNS

name

at
all - I think the presence of a PTR alone is enough in most cases.
Corrections welcome!

Victor Matei wrote:
I am trying to understand how to properly setup the PTR records for
our company's Exchange server.
From my understanding, there can be only one PTR record for a host
name, which is required to comply with the rdns check done by many
email systems. Example: nslookup for 3.0.168.192.in-addr.arpa would
return mail.dom-a.com So if (e-mail address removed) hosted on same server
sends mail, would it be rejected by recipients checking this ?
I need to know what exactly to ask the ISP to do for me.

 

[Victor Matei]

On the subject of receiving mail servers performing reverse dns checking:
Is this efficient in preventing spam and if so how could this be
implemented in Exchange 2003?
Won't it stop some legitimate mail to get to your server ?

"Lanwench [MVP - Exchange]"

 

[Kevin D. Goodknecht [MVP]]

In

I am trying to understand how to properly setup the PTR records for
our company's Exchange server.
From my understanding, there can be only one PTR record for a host
name, which is required to comply with the rdns check done by many
email systems. Example: nslookup for 3.0.168.192.in-addr.arpa would
return mail.dom-a.com So if (e-mail address removed) hosted on same server
sends mail, would it be rejected by recipients checking this ?
I need to know what exactly to ask the ISP to do for me.

Ask them to create a PTR record for your Exchange server's public host name
for its public IP address.

 

[Herb Martin]

this is exactly what i was thinking... as long as a trust is there, numerous
subnets can use the same SMTP engine to send mail... the incoming mail can
then be routed accordingly.

Nothing to do with "trusts".

But you seem to understand it.

Normally, SMTP servers are set for the following:

1) Allow any outside source email (except spam filtered) to go to
any INTERNALLY existing user

2) Allow internal users to send to both internal and external users

(Sometimes with authentication -- or when misconfigured -- the server
will allow External->External relaying. If misconfigured this is referred
to
as "open relaying" and is bad.)

The issue of the PTR is for SENDING email from the SMTP to other
SMTP servers who are trying to decide if we are trustworthy. It's not
perfect but it is better than nothing.

--
Herb Martin

I just got off the phone with the ISP, they said a single PTR record

for
the

public IP should suffice, mapped to one of the domain's host name.
I will keep an eye on email bounces to see if the issue alleviates.

They are right. This is by necessity. The PTR must uniquely resolve
or you would get unpredictable results.

Set the EMAIL SMTP server "name" to match the PTR returned value
(or vice versa). This is about SENDING email and has nothing really
to do with which email domains you handle for RECEIVING email.

Example: An ISP sets up email for 1000 client customer with different
DNS zone/domain name but that ISP SMTP server can only have ONE
name -- this is the name given to the SMTP server confige AND placed
in the PTR value.

--
Herb Martin

"Lanwench [MVP - Exchange]"
Since the Exchange server has only one host name, and one DNS name, and
you're sending from the Exchange server, it should be fine in most cases
unless the recipient server's admins are VERY picky. Frankly, a lot of
small
clients I've worked with have PTRs that don't match the server's DNS name
at
all - I think the presence of a PTR alone is enough in most cases.
Corrections welcome!

Victor Matei wrote:
I am trying to understand how to properly setup the PTR records for
our company's Exchange server.
From my understanding, there can be only one PTR record for a host
name, which is required to comply with the rdns check done by many
email systems. Example: nslookup for 3.0.168.192.in-addr.arpa would
return mail.dom-a.com So if (e-mail address removed) hosted on same server
sends mail, would it be rejected by recipients checking this ?
I need to know what exactly to ask the ISP to do for me.

 

[Herb Martin]

On the subject of receiving mail servers performing reverse dns checking:
Is this efficient in preventing spam and if so how could this be
implemented in Exchange 2003?
Won't it stop some legitimate mail to get to your server ?

Not really but it at least you know (something about) who is sending
you email. It prevents completely anonymous injection of email into
your system.

Since most ISP's will not setup the SMTP and the PTR (both) for dial
ups and such, it will eliminate some transient spam slinging.

--
Herb Martin

On the subject of receiving mail servers performing reverse dns checking:
Is this efficient in preventing spam and if so how could this be
implemented in Exchange 2003?
Won't it stop some legitimate mail to get to your server ?

"Lanwench [MVP - Exchange]"

Since the Exchange server has only one host name, and one DNS name, and
you're sending from the Exchange server, it should be fine in most cases
unless the recipient server's admins are VERY picky. Frankly, a lot of small
clients I've worked with have PTRs that don't match the server's DNS

name

at
all - I think the presence of a PTR alone is enough in most cases.
Corrections welcome!

 

[Victor Matei]

Ok, did that.
Now how can I enable my exchange 2003 server to check PTR records ?

 

[Ace Fekay [MVP]]

In

Ok, did that.
Now how can I enable my exchange 2003 server to check PTR records ?

You would test it using nslookup.

nslookup yourmailmachineIPaddress

And see what the name comes back as.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Victor Matei]

Well mine is now returning the server's name, so looks like the ISP held
their word.
But how does an email server check this on every incoming SMTP connection
and decides to drop if not compliant ?
I know that in Exchange 2003 there is a setting to check on SMTP protocol at
the virtual server, but that merely resolves the DNS name and inserts it in
the header in Outlook, it will not act as a connection negotiator.

"Ace Fekay [MVP]"

 

[Herb Martin]

Well mine is now returning the server's name, so looks like the ISP held
their word.
But how does an email server check this on every incoming SMTP connection
and decides to drop if not compliant ?

It's a feature of the particular SMTP server so we cannot tell you
generically.

I know that in Exchange 2003 there is a setting to check on SMTP protocol at
the virtual server, but that merely resolves the DNS name and inserts it in
the header in Outlook, it will not act as a connection negotiator.

I do this so seldom in Exchange that I cannot give you that specific one
either,
but it will have something to do with Reverse or Ptr and probably be next to
the setting that requires an MX (or requires it to match.)
--
Herb Martin

"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

Well mine is now returning the server's name, so looks like the ISP held
their word.
Good

But how does an email server check this on every incoming SMTP connection
and decides to drop if not compliant ?

If you have that checked off in the SMTP properties, yes it does for each
connection.

I know that in Exchange 2003 there is a setting to check on SMTP protocol at
the virtual server, but that merely resolves the DNS name and inserts it in
the header in Outlook, it will not act as a connection negotiator.

Correct. If you want more functionality, you would have to use RBLS lists
and/or a 3rd party tool, such as Trend Micro or Mail Essentials. Matter of
fact, Mail Essentials's base version is now available for FREE. Yes, they
did this in light of the current spam issues. Goto www.gfi.com for more
info.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory