RDNS_NONE issue
I'm using /etc/mailips to send mail on a specific IP on the server. When it arrives at the destination I'm getting an RDNS_NONE error.
In MailScanner the sending IP is listed and that is being resolved to the FQDN of the host. If I dig -x "IP" I get an rDNS that is correct and matches the HELO. I'm also getting a softail error, but the IP is in the SPF record for the domain. I tried by sending via Outlook and via Webmail to ensure it wasn't pointing to some other IP rather than the server, but that made no difference. The PTR record is correctly set at the data center and can be verified. One tricky part here is that the website is using Cloudflare, but that doesn't hurt anything when the /etc/mailips IP is not listed (using default) Any idea why this would be happening?
DKIM_SIGNED 0.10 Message has a DKIM or DK signature, not necessarily valid
DKIM_VALID -0.10 Message has at least one valid DKIM or DK signature
DKIM_VALID_AU -0.10 Message has a valid DKIM or DK signature from author's domain
HTML_FONT_TINY_NORDNS 1.50 Font too small to read, no rDNS
HTML_MESSAGE 0.00 HTML included in message
RDNS_NONE 2.00 Delivered to internal network by a host with no rDNS
SPF_HELO_SOFTFAIL 1.50 SPF: HELO does not match SPF record (softfail)
SPF_PASS -0.00 SPF: sender matches SPF record
In MailScanner the sending IP is listed and that is being resolved to the FQDN of the host. If I dig -x "IP" I get an rDNS that is correct and matches the HELO. I'm also getting a softail error, but the IP is in the SPF record for the domain. I tried by sending via Outlook and via Webmail to ensure it wasn't pointing to some other IP rather than the server, but that made no difference. The PTR record is correctly set at the data center and can be verified. One tricky part here is that the website is using Cloudflare, but that doesn't hurt anything when the /etc/mailips IP is not listed (using default) Any idea why this would be happening?
-
Hey there! My only idea based off that information - does the domain in the HELO also have a valid A record that resolves in DNS? Possibly relevant discussion here: RDNS_NONE hits when it shouldn't 0 -
This is the relevant data with the real IPs and domains removed. This is from the receiving server. The IP I'm sending on is 11.22.33.55. Which is also ns1 for the domain records. The sending server's HELO is fqdn.domain.com. [root@host ~]# dig a fqdn.domain.com ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> a fqdn.domain.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41078 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;fqdn.domain.com. IN A ;; ANSWER SECTION: fqdn.domain.com. 3600 IN A 11.22.33.44 ;; AUTHORITY SECTION: domain.com. 3600 IN NS ns2.domain.com. domain.com. 3600 IN NS ns1.domain.com. ;; ADDITIONAL SECTION: ns1.domain.com. 3600 IN A 11.22.33.55 ns2.domain.com. 3600 IN A 11.22.33.66 ;; Query time: 69 msec ;; SERVER: 10.10.10.10#53(10.10.10.10) ;; WHEN: Tue May 25 14:07:56 EDT 2021 ;; MSG SIZE rcvd: 126 [root@host ~]# dig -x 11.22.33.44 ; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.5 <<>> -x 11.22.33.44 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25914 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;26.33.22.11.in-addr.arpa. IN PTR ;; ANSWER SECTION: 26.33.22.11.in-addr.arpa. 86400 IN PTR fqdn.domain.com. ;; AUTHORITY SECTION: 33.22.11.in-addr.arpa. 259200 IN NS ns1.host.net. 33.22.11.in-addr.arpa. 259200 IN NS ns2.host.net. ;; Query time: 28 msec ;; SERVER: 10.10.10.10#53(10.10.10.10) ;; WHEN: Tue May 25 14:08:43 EDT 2021 ;; MSG SIZE rcvd: 123
So as far as I can tell, yes, the HELO has a valid A record. The HELO A record does not match the sending IP, because of the /etc/mailips override.0 -
Thanks, that worked! Here is what I did: The server IP is 11.22.33.11 with an A record for fqdn.domain.com. I set /ect/mailips to 11.22.33.22 sitedomain.com: 11.22.33.22
11.22.33.22 is actually NS1 for the domain. I set /etc/mailhelo tositedomain.com: ns1.domain.com
I set the PTR for 11.22.33.22 to ns1.domain.com. Doing that the HELO shows up on the email as ns1.domain.com and the PTR matches. This will need to be done for each domain in mailips, so each will need a mailhelo to match. So I guess that is the trick. Every mailips entry has to have a mailhelo to match and that HELO needs to have a PTR setup. Thanks again. That was very ugly and I couldn't do it without your help.0 -
I'm glad that was it! 0
Please sign in to leave a comment.
Comments
5 comments