Hi

Have an issue with DNS I think.

I have a user that is getting the following NDR for Exchange 2003:



You do not have permission to send to this recipient. For assistance,
contact your system administrator.
<domain.co.uk #5.7.1 smtp;501 5.7.1 <users email>... Sender IP
must resolve>

this has only just started to happen and seems to affect a few domains here
and there - most mail is going through

I have been looking around the net and have run the DNS report which has
highlighted:

Reverse DNS entries for MX records - ERROR: The IP of one or more of your
mail server(s) have no reverse DNS (PTR) entries/* (if you see "Timeout"
below, it may mean that your DNS servers did not respond fast enough)*/.
RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It
is strongly urged that you have them, as many mailservers will not accept
mail from mailservers with no reverse DNS entry. You can double-check using
the 'Reverse DNS Lookup' tool on our site if you recently changed your
reverse DNS entry (it contacts your servers in real time; the reverse DNS
lookups in the DNS report use our local caching DNS server). The problem MX
records are:
our IP.in-addr.arpa [No reverse DNS entry (rcode: 3 ancount: 0) (check it)]

The fixed IP is from our ISP but our mail is hosted by another ISP. Where do
I go to ensure that the reverse DNS entry is correct - I am right in
thinking that it is the mail host that needs to correct this?

thanks in advance

jad wrote:

> Hi
>
> Have an issue with DNS I think.
>
> I have a user that is getting the following NDR for Exchange 2003:
>
> You do not have permission to send to this recipient. For assistance,
> contact your system administrator.
> <domain.co.uk #5.7.1 smtp;501 5.7.1 <users email>... Sender
> IP must resolve>
>
> this has only just started to happen and seems to affect a few domains
> here and there - most mail is going through
>
> I have been looking around the net and have run the DNS report which
> has highlighted:
>
> Reverse DNS entries for MX records - ERROR: The IP of one or more of
> your mail server(s) have no reverse DNS (PTR) entries/* (if you see
> "Timeout" below, it may mean that your DNS servers did not respond fast
> enough)*/. RFC1912 2.1 says you should have a reverse DNS for all your
> mail servers. It is strongly urged that you have them, as many
> mailservers will not accept mail from mailservers with no reverse DNS
> entry. You can double-check using the 'Reverse DNS Lookup' tool on our
> site if you recently changed your reverse DNS entry (it contacts your
> servers in real time; the reverse DNS lookups in the DNS report use our
> local caching DNS server). The problem MX records are:
> our IP.in-addr.arpa [No reverse DNS entry (rcode: 3 ancount: 0) (check it)]
>
> The fixed IP is from our ISP but our mail is hosted by another ISP.
> Where do I go to ensure that the reverse DNS entry is correct - I am
> right in thinking that it is the mail host that needs to correct this?
>
> thanks in advance
>
>

No, it is your ISP, the owner of the IP address. They may possibly have
a web control panel that you can use to change it yourself.

Do you have a DNS A record (a hostname, e.g. mail.domain.com) pointing
to your IP address? If your mail DNS is set up correctly, there will be
such a hostname, and the MX record for the domain will contain that
name. But some systems will accept an IP address in the MX record, and
there may not be an A record.

You need such a hostname, pointing to your IP address, and the PTR
record should contain this. In other words, not only must there be a PTR
record, it must name an A record in public DNS which in turn points back
to the IP address. The A records and MX record are both controlled by
the domain host, who may well be the mail host if you use external email.

--
Joe

Not to disagree Joe, but the error is specifically saying that a reverse DNS
entry is failing for the MX record. And if I understand the setup
correctly, the MX record is pointing at another ISP for mail hosting
services.

In this scenario, yes, the machine where the MX record points to must also
have a valid PTR record to resolve the error in question.

-Cliff


"Joe" <joe@newsgroup> wrote in message
news:ucMMp#EoKHA.3164@newsgroup

> jad wrote:

>> Hi
>>
>> Have an issue with DNS I think.
>>
>> I have a user that is getting the following NDR for Exchange 2003:
>>
>> You do not have permission to send to this recipient. For assistance,
>> contact your system administrator.
>> <domain.co.uk #5.7.1 smtp;501 5.7.1 <users email>... Sender IP
>> must resolve>
>>
>> this has only just started to happen and seems to affect a few domains
>> here and there - most mail is going through
>>
>> I have been looking around the net and have run the DNS report which has
>> highlighted:
>>
>> Reverse DNS entries for MX records - ERROR: The IP of one or more of your
>> mail server(s) have no reverse DNS (PTR) entries/* (if you see "Timeout"
>> below, it may mean that your DNS servers did not respond fast enough)*/.
>> RFC1912 2.1 says you should have a reverse DNS for all your mail servers.
>> It is strongly urged that you have them, as many mailservers will not
>> accept mail from mailservers with no reverse DNS entry. You can
>> double-check using the 'Reverse DNS Lookup' tool on our site if you
>> recently changed your reverse DNS entry (it contacts your servers in real
>> time; the reverse DNS lookups in the DNS report use our local caching DNS
>> server). The problem MX records are:
>> our IP.in-addr.arpa [No reverse DNS entry (rcode: 3 ancount: 0) (check
>> it)]
>>
>> The fixed IP is from our ISP but our mail is hosted by another ISP. Where
>> do I go to ensure that the reverse DNS entry is correct - I am right in
>> thinking that it is the mail host that needs to correct this?
>>
>> thanks in advance
>>
>>

> No, it is your ISP, the owner of the IP address. They may possibly have a
> web control panel that you can use to change it yourself.
>
> Do you have a DNS A record (a hostname, e.g. mail.domain.com) pointing to
> your IP address? If your mail DNS is set up correctly, there will be such
> a hostname, and the MX record for the domain will contain that name. But
> some systems will accept an IP address in the MX record, and there may not
> be an A record.
>
> You need such a hostname, pointing to your IP address, and the PTR record
> should contain this. In other words, not only must there be a PTR record,
> it must name an A record in public DNS which in turn points back to the IP
> address. The A records and MX record are both controlled by the domain
> host, who may well be the mail host if you use external email.
>
> --
> Joe

Cliff Galiher - MVP wrote:

> Not to disagree Joe, but the error is specifically saying that a reverse
> DNS entry is failing for the MX record. And if I understand the setup
> correctly, the MX record is pointing at another ISP for mail hosting
> services.
>
> In this scenario, yes, the machine where the MX record points to must
> also have a valid PTR record to resolve the error in question.
>
>

Yes, I suppose so, though it seems unlikely beyond belief that a
commercial mail server doesn't have reverse DNS. And the sending of
email shouldn't be dependent on the MX record, and that has definitely
been throwing PTR errors.

--
Joe

thanks for your replies

just to reiterate the scenario:

IP address is a static one owned by ISP1
Router at site has this address
Domain is registered with ISP2 - I am waiting to get the login credentials
to take a look at the control panel

Spoke to ISP1 and they said I must speak to ISP2

It is wierd that this only started happenning yesterday and coincides with
adding the primary and secondary DNS of ISP1 to the server NIC (this site is
a bit of a nightmare - they have no access info to the router so can't check
what is setup there unless I reset it). They were plodding along OK and all
of a sudden they had no email or internet. Adding the DNS entries resolved
this then these email NDRs.....

If I do a mailserver test from dnsstuff I get a DNS mismatch - the reverse
and forward DNS do not match.

I just need to check that there is nothing that I can do (still waiting for
credentials for ISP2)

thanks!


"Joe" <joe@newsgroup> wrote in message
news:eiWRRlFoKHA.5700@newsgroup

> Cliff Galiher - MVP wrote:

>> Not to disagree Joe, but the error is specifically saying that a reverse
>> DNS entry is failing for the MX record. And if I understand the setup
>> correctly, the MX record is pointing at another ISP for mail hosting
>> services.
>>
>> In this scenario, yes, the machine where the MX record points to must
>> also have a valid PTR record to resolve the error in question.
>>

>
> Yes, I suppose so, though it seems unlikely beyond belief that a
> commercial mail server doesn't have reverse DNS. And the sending of email
> shouldn't be dependent on the MX record, and that has definitely been
> throwing PTR errors.
>
> --
> Joe

Hello,

The Reverse DNS setup has to be set up by whoever is the ISP where the
Exchange box sits on. for Example, if your Exchange Server is on
74.169.172.1 then call your ISP and ask them to set up a reverse DNS
PRT that resolves your IPaddress to servername.yourdomain.com. If
your PRT resolves to to 1.172.169.74.in-addr.arpa then you will get
blocked by servers that check for RDNS PTR records as a way of
controlling SPAM.

If you have AT&T DSL, send an email to dnsupdates@newsgroup
requesting a RDNS PTR record, your public IP and what you want it to
resolve to.

If you have a T-1 with AT&T, then they will either host both your
forward and reverse DNS, or they will delegate DNS control to you in
which case you must set up DNS yourself. here are the instructions:

http://sharepoint.falconits.com/FAQ/...20Pointer.aspx

If you have XO communication, call their tech support and request a
Reverse DNS and they will do it for you.

To check your RDNS, go to http://www.mxtoolbox.com and see that your
RDNS resolves to a FQDN instead of an ipaddress.in-addr.arpa

Cheers,

Miguel Fra/ Falcon ITS
http://www.falconits.com

Hello,

You said:

> IP address is a static one owned by ISP1
> Router at site has this address
> Domain is registered with ISP2 - I am waiting to get the login credentials
> to take a look at the control panel
>
> Spoke to ISP1 and they said I must speak to ISP2

ISP 2 has nothing to do with your PTR here. They are not even your
ISP, they are just hosting your Forward DNS and/or web site. If your
Exchange box is on on a public IP address assigned to you by ISP1,
then ISP1 is responsible for providing you with a reverse DNS PTR.
It's frustrating to get bounced around or to get finger pointing which
happens a lot when you get someone at the ISP who has no clue as to
what you are talking about.

Call ISP1, ask the agent if they know what a Pointer Record (PTR) is,
if they don't find someone that does so that they can guide you on who
you need to contact to get your PTR set up.

http://www.pcmag.com/encyclopedia_te...i=55466,00.asp

Miguel Fra / Falcon ITS
http://www.falconits.com

Agreed.

The Reverse DNS goes alongside the IP address that your emails come
FROM. So if you send emails to me, and your mailserver conencts to my
mailserver using IP address 212.123.123.123 then my mailserver looks
for a PTR on 212.123.123.123. (It then goes on to check SMTP banners
and ensure that the PTR resolves to a valid IP etc, but that's a
different story.

Reverse DNS has nothing whatsover to do with whoever hosts your MX
records or your domain. It's whoever owns the IP address that your
mailserver uses to contact the outside, THAT is who has to set up the
PTR.

Hope this helps the OP.



Jim


On Fri, 29 Jan 2010 06:19:09 -0800 (PST), Falcon ITS
<miguel@newsgroup> wrote:

>
>Hello,
>
>You said:
>

>> IP address is a static one owned by ISP1
>> Router at site has this address
>> Domain is registered with ISP2 - I am waiting to get the login credentials
>> to take a look at the control panel
>>
>> Spoke to ISP1 and they said I must speak to ISP2

>
>ISP 2 has nothing to do with your PTR here. They are not even your
>ISP, they are just hosting your Forward DNS and/or web site. If your
>Exchange box is on on a public IP address assigned to you by ISP1,
>then ISP1 is responsible for providing you with a reverse DNS PTR.
>It's frustrating to get bounced around or to get finger pointing which
>happens a lot when you get someone at the ISP who has no clue as to
>what you are talking about.
>
>Call ISP1, ask the agent if they know what a Pointer Record (PTR) is,
>if they don't find someone that does so that they can guide you on who
>you need to contact to get your PTR set up.
>
>http://www.pcmag.com/encyclopedia_te...i=55466,00.asp
>
>Miguel Fra / Falcon ITS
>http://www.falconits.com
>
>

"jad" <noreply@newsgroup> wrote in message
news:%23QvLxRMoKHA.1556@newsgroup

> thanks for your replies
>
> just to reiterate the scenario:
>

<snipped>

>
> It is wierd that this only started happenning yesterday and coincides with
> adding the primary and secondary DNS of ISP1 to the server NIC (this site
> is a bit of a nightmare - they have no access info to the router so can't
> check what is setup there unless I reset it). They were plodding along OK
> and all of a sudden they had no email or internet. Adding the DNS entries
> resolved this then these email NDRs.....
>

<snipped>

You've received some great suggestions how to handle the reverse DNS issue,
which I agree with, is that you must contact the ISP who owns the IP
address.

Regarding your paragrpaph above, you are saying that you are using the ISP's
DNS adresses on your SBS? Is the server configured with two NICs? You should
really set both NICs to the SBS IP address itself as the only DNS IP
address, and allow your own DNS server to resolve outside names. Configure a
Forwarder in DNS. The following will help explain it, and applied to SBS.

323380 - HOW TO Configure DNS for Internet Access in Windows Server 2003
(including how to configure a Forwarder) :
http://support.microsoft.com/?id=323380

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

Many thanks to you all

Think that clears up all the queries - will get onto it!


"Jim" <jim@newsgroup> wrote in message
news:dur5m59o1h4erkoalkt51s6aa7npilkev8@newsgroup

> Agreed.
>
> The Reverse DNS goes alongside the IP address that your emails come
> FROM. So if you send emails to me, and your mailserver conencts to my
> mailserver using IP address 212.123.123.123 then my mailserver looks
> for a PTR on 212.123.123.123. (It then goes on to check SMTP banners
> and ensure that the PTR resolves to a valid IP etc, but that's a
> different story.
>
> Reverse DNS has nothing whatsover to do with whoever hosts your MX
> records or your domain. It's whoever owns the IP address that your
> mailserver uses to contact the outside, THAT is who has to set up the
> PTR.
>
> Hope this helps the OP.
>
>
>
> Jim
>
>
> On Fri, 29 Jan 2010 06:19:09 -0800 (PST), Falcon ITS
> <miguel@newsgroup> wrote:
>

>>
>>Hello,
>>
>>You said:
>>

>>> IP address is a static one owned by ISP1
>>> Router at site has this address
>>> Domain is registered with ISP2 - I am waiting to get the login
>>> credentials
>>> to take a look at the control panel
>>>
>>> Spoke to ISP1 and they said I must speak to ISP2

>>
>>ISP 2 has nothing to do with your PTR here. They are not even your
>>ISP, they are just hosting your Forward DNS and/or web site. If your
>>Exchange box is on on a public IP address assigned to you by ISP1,
>>then ISP1 is responsible for providing you with a reverse DNS PTR.
>>It's frustrating to get bounced around or to get finger pointing which
>>happens a lot when you get someone at the ISP who has no clue as to
>>what you are talking about.
>>
>>Call ISP1, ask the agent if they know what a Pointer Record (PTR) is,
>>if they don't find someone that does so that they can guide you on who
>>you need to contact to get your PTR set up.
>>
>>http://www.pcmag.com/encyclopedia_te...i=55466,00.asp
>>
>>Miguel Fra / Falcon ITS
>>http://www.falconits.com
>>
>>