Sender Address Verification 1

[ilpadrino]

We recently implemented a service-based Spam Filter. In our router's access-list we restricted all smtp to the address range of the Spam Filter Service. I'm now noticing that some messages we send from our email server are not received and the error is "451: domain of sender address does not resolve". If this is related, could it be due to sender address verification? Can someone suggest a way for me to allow hosts to telnet to my email server for sender address verification, but restrict message flow to the spam filter service provider?
Thanks.

 

[ChrisAC]

When a server does a verification of the sending domain, it does it via a DNS lookup on the domain. It doesn't connect back into your mail server. If you only want your spam filter service to be able to connect to your mail server then this should work okay and plenty of companies are now implementing this kind of system so mail sender verification does not work this way.

When you send an email from your server to the other server the remote server often looks up the domain of the sender to ensure that it is actually a valid domain. Ours does this and so if I telnet to out server and do a "mail from: chris@iproute.co.uk" then because that domain resolves the SMTP transaction is permitted. However, if I try "mail from: chris@qwerty1234.net" then because this domain does not resolve the server refuses my attempt to send an email. It does not try to connect back to the IP address that is making the connection. It simply resolves the domain via DNS.

So, it could be that you have some kind of DNS issue. Are you sending from the correct domain (in the mail from: statement)? Do you host your own DNS or is it with your ISP?

I don't think that this is related to your SMTP acl's.

Chris.


**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************

 

[ilpadrino]

Thank you iproute, your comments help a lot. We use Sprint DNS services. I've put in two requests, but have not heard back yet. I can either cancel the spam service before the trial period ends this week, or if Sprint doesn't attempt to fix the problem, I may consider setting up my own DNS servers, but I'm pretty green in the DNS area, which is why we've always used Sprint. What's odd is the problem is only with a few domains, the majority send and receive without problem.

Suppose I do setup my own DNS servers, would it be advisable to setup forwarding to the Sprint DNS servers, or just use the roots?

Thanks.

 

[ChrisAC]

If you are going to set up your own DNS servers then using the roots is always best. I have never really seen the point of using forwards as you may as well be just querying those servers in the first place! With your own server doing root lookups you have the most control and that makes you entirely responsible for your own DNS issues.

Going back to your initial problem, it may be worth querying with the mail system admins for the servers that binned your SMTP connections to get to the bottom of why you were getting the 451 errors. It may be that they are having DNS issues at the time which is preventing them from resolving your domain when sending to their mail servers. If mail works for the majority of the time then it's unlikely that the problem is on your end or with the Sprint DNS servers, unless their DNS servers are a bit flakey?. You wouldn't want to go to all that trouble of setting up your own DNS servers and hosting your own domain just to find out that it's the receivers dodgey servers that can't resolve your domain.

Either way, good luck.

Chris.

**********************
Chris Andrew, CCNA, CCSA
chris@iproute.co.uk
**********************