Reverse DNS does not match sending address

drhowarddrfine

Son of Beastie

Reaction score: 2,410
Messages: 4,364

I haven't touched our mail/sendmail configuration in ages but I want to set up DKIM so I started getting involved. I ran some online tools that reported back:
I've found differences between mail server host names and greeting host name.
mail.domain1.com -> domain1.com
So I telnet to mail.domain1.com and it comes back as
Code:
220 otherdomain.com
which is the other domain on this same server and sendmail handles mail for it, too.

If I telnet to mail.otherdomain.com, it returns '220 otherdomain.com'.

Now, in /etc/mail/ the .mc file is www.otherdomain.com.mc

So I'm at a big of a loss as to how to proceed with this and who knows what I may have done wrong when I first set this up years ago. Reverse DNS seems to work with both:

Code:
;; QUESTION SECTION:
;; domain1.org. IN  MX

;; ANSWER SECTION:
domain1.org.    1798    IN  MX  10 mail.domain1.org.
 
Last edited by a moderator:

usdmatt

Daemon

Reaction score: 603
Messages: 1,544

Add the following to hostname.mc then run make install restart
Code:
define(confDOMAIN_NAME', mail.yourprimarydomain.com')dnl
(Usually you shouldn't really need this if your server is actually called mail.yourprimarydomain.com)

Make sure mail.yourprimarydomain.com resolves to the correct IP address, and that the reverse DNS for the IP address returns mail.yourprimarydomain.com. Sendmail should only use one host name, under your primary domain, and the forward and reverse dns should match.

For additional domains you can set the mx to mail.thatdomain.com and point mail.thatdomain.com to the IP of your server if you like. Sendmail itself should not be announcing itself as mail.thatdomain.com though, it should always use its proper host name.
 
OP
D

drhowarddrfine

Son of Beastie

Reaction score: 2,410
Messages: 4,364

define(confDOMAIN_NAME', mail.yourprimarydomain.com')dnl
Shouldn't that be define(`confDOMAIN_NAME', `mail.yourprimarydomain.com')dnl with the back ticks?

Does it matter where in the file I put it? I put it right after DOMAIN(generic)

So after restarting, /var/log/maillog shows:

Code:
NOQUEUE: SYSERR(root): /etc/mail/sendmail.cf: line 234: unknown configuration line "\n"

Mar 11 20:45:00 www sm-mta[2716]: NOQUEUE: SYSERR(root): /etc/mail/sendmail.cf: line 237: unknown configuration line "\n"

I had to delete those lines to restart sendmail.

So two issues left:

1) my host shows the reverse DNS set properly for the IP addresses yet drill xxx.xxx.xxx.xxx does not return the domain name but I'm going to bed.

2) Can I get a HELO for the other domain names on the same server with different (or same) IP addresses?
 
Last edited by a moderator:

usdmatt

Daemon

Reaction score: 603
Messages: 1,544

Sorry I copied that from a reasonably decent looking site I found on Google and didn't look at the quotes. May have also been my iPad screwing it up. This is an entry direct from one of my SMTP servers (although I've changed the name):

Code:
define(`confDOMAIN_NAME', `smtp-inbound.mydomain.com')

In my case I have it near the bottom of the mc file, just above the MAILER lines. As I said you shouldn't really need this as Sendmail will just use the server hostname by default, I just find it strange that you say your server is coming back with otherdomain.com, which is why I suggested just hard coding it. I only have this set manually because I have a few load balanced mail servers with different hostnames, and smtp-inbound.mydomain.com is the name associated with the IP address we use for inbound email on our load balancer. Not that I actually use Sendmail now, I've actually moved this and most other servers to Postfix.

1) my host shows the reverse DNS set properly for the IP addresses yet drill xxx.xxx.xxx.xxx does not return the domain name but I'm going to bed.

drill ip.address will not look up reverse DNS. You're better off using host ip.address.

What do you mean your host shows it set properly? I assume you're aware that reverse DNS entries will almost certainly need to be added for you by the ISP that provide the IP address? (unless they have some control panel where you can create reverse DNS entries).

2) Can I get a HELO for the other domain names on the same server with different (or same) IP addresses?

That's not really feasible** and you don't want that. Mail servers are not any different to any other server on the Internet. It has a hostname, one hostname, such as mail.myisp.net or mail-east1.us.some-other-crap.myisp.net, really doesn't matter. All that matters is that the hostname resolves to the correct IP address, and the reverse DNS entry for the IP address maps back to the same hostname.

If you want to accept email for 3rd party domains all you need to do is the following -

1) Make sure your mail server accepts the emails, which in Sendmail is done by added the domain to /etc/mail/local-host-names.
2) Get the inbound emails for the domain delivered to your server's IP address. You can either set the MX on their domain to my-mail-server-hostname.mydomain.com, or you can create an A record for mail.customerdomain.com that points to your server and use that in the MX.

Other servers couldn't care less that your server doesn't announce itself as mail.customerdomain.com when they receive or send email to it. It's perfectly normal for server.someisp.net to handle email for somecustomer.com. All they care about is that your server announces a valid hostname (which Sendmail normally just picks up from the system hostname) and that the forward and reverse DNS match up (which ideally should be the case for any server on the Internet). For a start an IP address can only logically resolve back to one hostname. **You'd have to use a different IP address for every customer domain, and the only obvious way I can see to make that work in Sendmail is to actually give each customer their own instance of Sendmail running in jails, which may be nice but a waste of time, effort & resources.
 
OP
D

drhowarddrfine

Son of Beastie

Reaction score: 2,410
Messages: 4,364

Where I'm getting confused is, I have mydomain.org set as the reverse DNS at my host. When I do host mydomain.org it says

mydomain.org has address <correct one>
mydomain.org mail is handled by 10 mydomain.org

For host.ipaddress
xxx.xxx.xxx.xxx.in-addr.arpa domain name pointer mydomain.org

But mxtoolbox, on their smtp test, says
Reverse DNS is not a valid Hostname
while another tool doesn't complain at all. So now I'm wondering if mxtoolbox is the problem but it's a very popular online tool to use.

EDIT: I wonder if the mxtoolbox issue is because I don't have the AAAA records set.
 

usdmatt

Daemon

Reaction score: 603
Messages: 1,544

MXtoolbox are probably just being strict, as I wouldn't really call mydomain.org a proper hostname/FQDN. I've already mentioned this a few times but the standard way of running a mail server is to just let it use your proper server hostname.

When you install FreeBSD or any OS, you're asked to provide a hostname (In FreeBSD "hostname" is actually configured as a FQDN, where-as some systems ask for "name" and "domain"). If you connect that machine to the Internet, really you should make sure there's a DNS entry pointing hostname to the IP address assigned to that machine, and a reverse DNS entry for the IP mapping back to hostname. That goes for every server - whether it runs email or not. If you do that, if you then want to run email you can just enable the default Sendmail service; Your DNS is already completely correctly configured for running email, regardless of what email addresses / domains you actually want to provide email services for. It's no more complicated than that - the correct DNS config for email is the same simple config that should be in place for any server on the Internet. There is no need to over-complicate things by trying to get Sendmail to use mydomain.org (which I'm sure isn't your server hostname), or to change its greeting based on the domain it's about to receive/send for.

Having said all that, if Sendmail says mydomain.org in its HELO message, mydomain.org points to the correct IP address, and the reverse dns for the IP maps back to the same thing, I'd be surprised if it causes an actual issue.
 
OP
D

drhowarddrfine

Son of Beastie

Reaction score: 2,410
Messages: 4,364

Yeah, I think it's a case of everything working but there's one guy who says it isn't which is causing doubt. Outlook.com flags my email as spam still, though. I know Outlook is bad for this so I want to install DKIM which is what led me down this path.
 

usdmatt

Daemon

Reaction score: 603
Messages: 1,544

Oh, Outlook.com & Gmail flag everything as spam, unless you're sending from Outlook.com or Gmail. :D They know customers will just complain to littleisp.com if their emails end up in Junk, rather than complain to Google about perfectly genuine emails being marked as spam. That's a lot better for them than relaxing their filters and having the possibility of users complaining to them because something that is spam has managed to make it into the Inbox. Welcome to email in 2017. o_O

Microsoft have tools at postmaster.live.com which give stats on number of emails accepted/blocked although you have to own your IP space to be able to access it. Gmail also have postmaster tools although they're practically useless from what I can see.

It's also worth keeping an eye on the senderscore.com report for your IP address.

Our emails come from systems with a decent senderscore, DKIM signed, SPF, DMARC, TLS and we still end up in spam far more often than I'd like:

("Show Original" report from Gmail web interface)
Code:
Message ID <1730601506da744fc90e6db672880d0b@mydomain.com>
Created at: Sun, Mar 12, 2017 at 6:25 PM (Delivered after 1 seconds)
From: Matt <matt@mydomain.com>
To: Matt <me@gmail.com>
Subject: Re: Gmail Test
SPF: PASS with IP 1.2.3.4
DKIM: PASS with domain mydomain.com
DMARC: PASS

Received: from smtp-outbound.mydomain.com (smtp-outbound.mydomain.com. [1.2.3.4])
       by mx.google.com with ESMTPS id g92si21505054wrd.40.2017.03.12.11.25.21
        for <me@gmail.com>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);

(That email went into my Inbox fortunately :) )
 
Top