Postfix PTR error

Dear Community,

I want to setup a mailserver with a public DNS record. There are already some threads here in the forum, but the most relevant I could find is five years old (Postfix myhostname) and the bug report is closed (https://forge.univention.org/bugzilla/show_bug.cgi?id=30350).

My server admin book is telling me that it is very important, that postconf myhostname will prompt the DNS registered fdqn. In UCS it is the local DNS fdqn - having the internal domain name in it.

The server setup is actually almost working. The only change I have made to ucr registry is changing the helo name to the public DNS record. This way I can send emails to many email-adresses (including gmail.com, university-servers) - but GMX is telling me:

Feb 16 11:27:54 host postfix/smtp[7004]: 9FD80C8252C: to=<my.name@gmx.de>, relay=mx01.emig.gmx.net[212.227.17.5]:25, │2018-02-15 23:44:43,651 fail2ban.filter [5568]: INFO    Set maxRetry = 5
delay=405, delays=404/0.31/0.2/0, dsn=4.0.0, status=deferred (host mx01.emig.gmx.net[212.227.17.5] refused to talk to me: 554-g│2018-02-15 23:44:43,658 fail2ban.filter [5568]: INFO    Set findtime = 600
mx.net (mxgmx117) Nemesis ESMTP Service not available 554-No SMTP service 554-Bad DNS PTR resource record. 554 For explanation │2018-02-15 23:44:43,659 fail2ban.actions[5568]: INFO    Set banTime = 600
visit http://postmaster.gmx.com/en/error-messages?ip=my.public.ip.adr&c=rdns)

The solution can of course go in different directions:

• don’t care to change local DNS name in the public sphere
• changing the myhostname setting in main.cf

The question is: what is - for security reasons as well as for system stability - the way I should go? As changing myhostname is not possible through a ucr registry entry. Perhaps telling the world the internal domain-name isn’t a big problem too?

Any thoughts on this are appreciated, kind regards
Bernd

Edit: the thread poses two questions and a problem (solved) having little to do with the questions - so I will put my questions in a new thread here: Postfix myhostname 4.2

Hi Bernd,

I am unsure about your setup. Where is your server located? What is thee purpose of it?
A mailserver sends and receives emails. If you host your server at home and use an dynamic IP address you can not use this server as a receiving host!

May I assume your server is at home and should only forward your emails?

If you had taken a look at the link GMX provided to you you would have seen:

You need to configure a relay host who accepts your emails and forwards them to the destination. This is usually the SMTP-Server your email-provider told you to use. With the given credentials.

Most email Servers (as GMX and my personal one, too) reject emails directly form dynamical addresse due to spam.

/KNEBB

Hi knebb,

that is not the case in my setup as it has public (static) DNS A an MX record. GMX is telling me reasons:

Emails from your email server were rejected because the PTR Resource Record (PTR-RR) of your IP address does not follow our guidelines. Possible reasons for this can be:

• The PTR-RR states that the IP address was dynamically allocated.
• The PTR-RR is a generic standard entry of your provider. Please allocate an independent and fully qualified domain name (Fully Qualified Domain Name - FQDN) to your email server and enter the corresponding valid PTR-RR.
• Individual rejection of the PTR-RR for system protection reasons. Please contact the administrator of your system who should then contact us.

so I would guess it is point no2 that is matching here.
As other big servers are accepting my emails I suppose that GMX is so to say ‘very strict’.

Perhaps there is another DNS subject as the first SMTP Reverse DNS prompt will match something like host.myprovider.xy? But I don’t think so, because all checks are marked as actually OK only Reverse DNS does not match SMTP Banner has a warn sign. And of course: the banner has to be the myhostname…
And in the results for mail.mydomain.xy will have answers from host.int.mydomain.xy.

Regards,
Bernd

Yeah, well.

Static IP is not sufficient usually. Most Email servers require as well a valid and matching rDNS entry.

Valid means: IP can reverse resolved to a valid hostname (and not “no such entry”)
Matching means: The resolved entry should match the hostname given by the connecting mailserver.

Use dig to verify your rDNS entry:
dig -x 1.your.ip.address

The entry here should match your postfix hostname. And no, do not change the postfix hostname to the result of the dig command- these are usually two completely different domain!

You need to ask your IP-provider to create a rDNS entry!

/KNEBB

Well, yeah,

ok - so it would really be the

but I don’t think so

as already said, it prompts host.myprovider.xy

So my new question would be: tell the domain/vserver hoster to register mail.mydomain.xy or host.int.mydomain.xy?
And the other questions remain somehow unanswered to in that context.

Thank you, regards,
Bernd

Sorry,

I am currently confused.

Is there a rDNS entry? It says “IP is host.myprovider.xy”, right? Well, obviously this does not match your postfix hostname!
So your rDNS entry should match an official domain (not something like “int” or “local” or “internal”)- so I suggest to ask your provider to create an entry pointing to mail.mydimain.xy. And then configure your postfix accordingly.

/KNEBB

Sorry for confusing

I will try to explain the DNS setting perhaps with the commands:

root@myhost:~# dig -x my.public.ip.adr

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> -x my.public.ip.adr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56832
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;adr.ip.public.my.in-addr.arpa.	IN	PTR

;; ANSWER SECTION:
adr.ip.public.my.in-addr.arpa. 37246 IN	PTR	xyserver.domainhoster.country_xy.

;; AUTHORITY SECTION:
ip.public.my.in-addr.arpa. 123648	IN	NS	nameserver2.domainhoster.country_xy.
ip.public.my.in-addr.arpa. 123648	IN	NS	nameserver1.domainhoster.country_xy.

and

root@host:~# dig mydomain.country_xy mx

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> mydomain.country_xy mx
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9719
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:
;mydomain.country_xy.			IN	MX

;; ANSWER SECTION:
mydomain.country_xy.		86400	IN	MX	10 mail.mydomain.country_xy.

;; AUTHORITY SECTION:
mydomain.country_xy.		3691	IN	NS	nameserver1.domainhoster.country_xy.
mydomain.country_xy.		3691	IN	NS	nameserver2.domainhoster.country_xy.

;; ADDITIONAL SECTION:
mail.mydomain.country_xy.	16584	IN	A	my.public.ip.adr
nameserver1.domainhoster.country_xy.		1744	IN	A	some1.public.ip.adr
nameserver2.domainhoster.country_xy.		1744	IN	A	some2.public.ip.adr

and

root@host:~# dig @some1.public.ip.adr host.int.mydomain.country_xy

; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @some1.public.ip.adr host.int.mydomain.country_xy
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1447
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;host.int.mydomain.country_xy.	IN	A

;; ANSWER SECTION:
host.int.mydomain.country_xy. 86400 IN	A	my.public.ip.adr

Is it possible to have multiple IN PTR records? Not recommended though https://serverfault.com/questions/618700/why-multiple-ptr-records-in-dns-is-not-recommended
Ah I almost forgot:

root@host:/# postconf myhostname 
myhostname = host.int.mydomain.country_xy

and

root@host:/# postconf smtp_helo_name
smtp_helo_name = mail.mydomain.country_xy 

I was trying followed the best practice setup for UCS domain-setup I guess (Welcher Domänenname?)

Regards,
Bernd

Well, this staes everything. The reverse entry points to xyserver.domainhoster… while the MX entry points to mail.mydomain.com.
Again, let your provider change the rDNS entry and you will be fine.

I am unsure about the myhostnamee and smtp_helo_name, but you should be fine with these settings.
Just make sure you will never ever use int.mydomain.xy outside of your network!
I prefer to use internally the same domain name as officially…

/KNEBB

thank you knebb! I found the relevant FAQ from my domainhoster too. It is now possible to change the PTR record. So I will do that.

But before that, I need to be clear on what fdqn I will tell the domainhoster. (Is it even relevant as long as it reflects mydomain.country_xy for my IP4 address?)

There is still the topic of the mismatch between the postconf myhostname in UCS and the actual MX record. Also, letting myhostname unchanged with another MX record/smtp_helo_name exposes host.int.mydomain.country_xy anyway? At least if I look into email headers. So what is the point here?
So I either leave host.int.mydomain.country_xy everywhere or change it to mail.mydomain.country_xy (same IP of course) or …?

Regards,
Bernd

Edit: I have posed the question again here (Postfix myhostname 4.2) as the GMX problem and solution is solved here - thanks to @knebb.

Hey,

what a receiving mail server does is the following steps:

1. When an SMTP connection from, let’s say, 1.2.3.4 is accepted, the PTR record for 1.2.3.4 is looked up. Let’s say it resolves to mymail.mydomain.de.
2. Next the receiving SMTP server resolves that host name it just got back in step one, meaning it’ll query for an A record for mymail.mydomain.de. It’ll receive one or more IPv4 addresses for it.
3. Now it verifies that at least one of the IPv4 addresses returned in step 2 is the one it accepted the connection from.

There’s often a bit more to it[1], but that’s basically it. Meaning the host name used isn’t all that important; what’s important is that this round-trip look-up works.

Note that MX records do not play into this! MX records are used for sending mail to a specific domain, not for verifying that a certain mail server may send mail from that domain. That’s what the SPF (Sender Permitted From) framework is used for.

[1] Some more checks a receiving mail server does:

1. Verification that the host name returned in step 1 doesn’t look like host names typically assigned to dynamic IPv4 addresses
2. That the host name the sending mail server sens in its HELO or EHLO header actually exists and is resolvable (that’s what your Postfix book is talking about when mentioning Postfix’s myhostname variable)

Kind regards,
mosu