Postfix – Reverse DNS (PTR) EHLO Mismatch

postfix

I'd like to run my own email server, but yikes! It's so hard, it's as if email configuration is the latin/greek of the internet..

Okay,

My ISP set up a reverse dns DNS (PTR) entry for mx.[mydomainname].com

Per advice online I changed smtpd_banner = mx.[mydomainname].com ESMTP in
/etc/postfix/main.cf.

But when I test my email server with http://xeams.com/validation.htm

Still it tells me that the reverse lookup fails.

Reverse Lookup: FAIL Connecting IP resolves to mx.[mydomainname].com,
which does not match with HELO string

Also I've checked the EHLO message using telnet [mydomainname].com 25 to verify that it contained the specific reverse lookup mx.[mydomainname].com, tried again after editing it to match exactly.

Each time after rerunning the validation report it says the same thing.

Reverse Lookup: FAIL Connecting IP resolves to mx.[mydomainname].com,
which does not match with HELO string

— this is perplexing and if anyone can help I'd appreciate it.

Update

After editing my config so that my hostmane in postfix is mx.[mydomainname]

And trying also when hostname in postfix is [mydomainname]

Ensuring to reload and with

DNS record config:

A |[mydomainname] | [my.static.ip.address]
A |mx.[mydomainname]| [my.static.ip.address]
MX |mx.[mydomainname] | [mydomainname]
TXT |mx.[mydomainname] | v=spf1 a mx ~all
TXT |mail._domainkey.[mydomainname] | v=DKIM1; k=rsa; p=…keycode

Both cases I'm getting this bounce back when I try to do the validation test…

<validate.server@synametrics.com>: host mailbk.synametrics.com[74.208.84.194]
    said: 550 5.1.1 <validate.server@synametrics.com>... User unknown (in reply
    to RCPT TO command)

I'm not sure if I need give the MX records I edited time to propagate. If the DKIM set to mail. is a problem, or what kind of trouble I'm in.

Best Answer

That was a wrong advice.

smtpd_banner, as it is clear from the name, configure Postfix's smtpd server processes. It it the server processes, which listen to incoming connections on port 25, and probably on other ports if you enabled them (like submission service).

What you need is set up how postfix smtp client process introduces itself when it connects to another system to their port 25 (or another port if you configured it so in transport_maps). The value it uses for that is smtp_helo_name which by default is set to myhostname.

I advise to change myhostname, because it is used in many places as a template. That way it will affect many other settings in the right way. For example, smtpd_banner by default also depends on it and will be set in sync with other settings.

UPD: by the way, Postfix manual (man 5 postconf) also says about smtpd_banner:

You MUST specify $myhostname at the start of the text. This is required by the SMTP protocol.

this also could have directed you to the idea that original advice was strange and you have to do something with myhosname. Always check other's advices with manual. Mine too!

Related Solutions

451 #4.1.8 Domain of sender address does not resolve

This looks like a temporary DNS issue on receiving side. Their server just can't resolve your address for some reason. I think nothing can be done to fix that on your side. Probably you should contact their representative using another email and ask them to address this issue.

Postfix and OpenDKIM – How to Configure and Inform Receiving Server

First of all, please remove these values (they aren't needed if you use KeyTable):

Domain      example1.com
KeyFile     /etc/opendkim/keys/example1_com/selc
Selector    selc

Domain      example2.com
KeyFile     /etc/opendkim/keys/example2_com/selc
Selector    selc

Setup your KeyTable like that:

mykey1 example1.com:recordname1:/path/to/domain.key
mykey2 example2.com:recordname2:/path/to/domain.key

Setup your SigningTable like that (note wildcard matching and mykey1 and mykey2 from KeyTable):

*@example1.com mykey1
*@example2.com mykey2

And finally change your opendkim.conf to include SigningTable via refile: prefix (regular expressions support):

SigningTable    refile:/etc/opendkim/SigningTable

And domain record for reference (note recordname1 and recordname2 from KeyTable):

recordname1._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=..."
recordname2._domainkey IN TXT "v=DKIM1; g=*; k=rsa; p=..."

Additionally, please, check if you have your node hostname (from which you are sending mail) in InternalHosts file:

server1.example1.com
server2.example2.com
mail.example1.com
mail.example2.com

Again, you can use refile: prefix to be able to add something like:

*.example1.com
*.example2.com

if you have multiple hosts and do not want to include all of them by hand. If you accept only local mail, you should add localhost here.

You should check log file for DKIM notices about skipping signing if your host is missing in the InternalHosts file.

Example of opendkim.conf:

# Set these values (Syslog, SyslogSuccess, LogWhy) for debugging and check syslog for details
Syslog      yes
SyslogSuccess   yes
LogWhy      yes

UMask       002
UserID      opendkim:opendkim

KeyTable            /etc/opendkim/KeyTable
SigningTable        refile:/etc/mail/SigningTable
InternalHosts       refile:/etc/mail/hosts

Best Answer

Related Solutions

451 #4.1.8 Domain of sender address does not resolve

Postfix and OpenDKIM – How to Configure and Inform Receiving Server

Related Topic