Problem with reverse dns

[thewitcher]

I have a problem with reverse dns

I am using sendmail dovecot

---------------------------------------------------------------

I can send emails from my address to my other address with no problem

myname1@example.com -----> myname2@example.com

and send vice versa

myname2@example.com -----> myname1@example.com

Problem (trouble):

1. By sending an e-mail to the gmail box, the message goes to the spam folder,
2. When sending to another mailbox, the mail is blocked and not delivered to the indicated address.

-------------------------------------------------------------------
Information log
in jail truenas var/log/maillog

mail from your IP address is administratively disabled

--------------------------------------------------------------------
Information from the site: https://www.spamrats.com/

Whether the IP address follows the host name reverse naming convention

For my safety, I have deleted part of my IP address on purpose

----------------------------------------------------------------------

Typing in the shell jail

host xxx.xxx.x.xxx

I receive

xxx.x.xxx.xxx.in-addr.arpa not found: 3 (NXDOMAIN)

I pre-read the forum

https://www.truenas.com/community/threads/nfs-and-dns.68918/

It says there

''That's probably it. I don't have reverse lookup zone configured on my DNS. Thanks!''

How to set up reverse dns in jail truenas?

Please help

 

[sretalla]

How to set up reverse dns in jail truenas?

You don't.

You probably don't own the whole class C address range, so you need the owner of it (your ISP) to set that reverse record for your IP.

If you have a standard Internet plan, they won't be giving you a static IP, so they won't do it.

You will possibly need to change your plan to one which your ISP will allow the creations of a reverse record if you want to host your own mail server... Warning: ISPs don't like you doing that, so they charge a lot to help you with the bits required to set it up.

You may also find that even if you can get a reverse record for your IP as it is, if it's in an ISPs DHCP range, it's often grey or blacklisted by SPAMCOP and other anti-SPAM services, so you'll probably want to get that changed to a static range (usually associated with business accounts on the ISP side).

 

[thewitcher]

You don't.

You probably don't own the whole class C address range, so you need the owner of it (your ISP) to set that reverse record for your IP.

If you have a standard Internet plan, they won't be giving you a static IP, so they won't do it.

You will possibly need to change your plan to one which your ISP will allow the creations of a reverse record if you want to host your own mail server... Warning: ISPs don't like you doing that, so they charge a lot to help you with the bits required to set it up.

You may also find that even if you can get a reverse record for your IP as it is, if it's in an ISPs DHCP range, it's often grey or blacklisted by SPAMCOP and other anti-SPAM services, so you'll probably want to get that changed to a static range (usually associated with business accounts on the ISP side).

I have a dynamic public IP address

On this plan, my web server works fine with the https option.

My mail server is SLL/TLS encrypted with a password, and has spam protection and other restrictions

I am using dynamic DNS updated by Cron Jobs to update my dynamic IP address automatically.

I wrote a message to my ISP regarding reverse DNS and mail server if my Internet plan is sufficient
and if my service plan will allow for reverse record if I want to host my own mail server.

I am just wondering about the static address option, but dynamic is more secure and I would prefer not to change that.

-------------------------------------------------------------------------------

I saw on the internet that users edit PTR records to get reverse DNS, but I don't know which file in Truenas it changes in.

----------------------------------------------------------------------------------------

Back to reverse dns

rDNS Config Problem - not found: 3(NXDOMAIN)

xx.x.xxx.xxx.in-addr.arpa not found: 3 (NXDOMAIN)

The internet user writes that he fixed it by adding it to the file /etc/resolv.conf

Code:
vi /etc/resolv.conf
nameserver 127.0.0.1
search open-ims.test
domain open-ims.test

https://www.linuxquestions.org/ques...nfig-problem-not-found-3-nxdomain-4175457244/

(I use nano and FreeBSD)
I make my own settings

nano /etc/resolv.conf
search local mail.example.com example.com
nameserver x.x.x.x (x.x.x.x - ip where the mail server is)
nameserver 1.1.1.1
nameserver 1.0.0.1
------------------------------------------------------------------

The internet plan should be ok

What could be the reason why it doesn't work for me?

 

[sretalla]

I saw on the internet that users edit PTR records to get reverse DNS, but I don't know which file in Truenas it changes in.

The internet user writes that he fixed it by adding it to the file /etc/resolv.conf

What could be the reason why it doesn't work for me?

That's not how the internet works...

The mail server that your mail server is trying to send to needs to be able to confirm that you're really who you say you are (confirming against your claimed hostname, the IP they see you coming from and the MX, SPF and DMARC records if you have them) and look up in a public DNS server for the record xx.x.xxx.xxx.in-addr.arpa (where the xx.x.xxx.xxx is actually your IP address backwards by octets) and get back the name your server is claiming to be at the start of the EHLO mail conversation.

The only way you can make that happen on their server is to have the person who owns that "domain" (which is really the owner of the Class C or bigger IP address range, so for you, it's your ISP). Changing files on TrueNAS will make no impact.

Most of the services used to limit SPAM also view mail servers located in ISPs dynamic ranges as potential sources for SPAM, so you're likely to get tagged as SPAM or untrusted even if you can get the reverse record (but remain with a dynamic address).

Sorry to be the messenger of bad news if you thought there would be an easy solution that matched with what you wanted to do.

If you're only worried about sending mails to servers that you own, you can do what you're suggesting on all of them and it might be enough, but to deal with the wide world of public email, you're not going to get far.

 

[rvassar]

I've run my own mail server for better part of 20 years. It's getting increasingly difficult to do this casually. I "rent" a virtual server, and host my own DNS server. I can publish an A record, or an MX record and point at virtually any IP address I wish. I could add an A record that resolved "www" in my domain name to 8.8.8.8, or any other IP address I can pull out of thin air. However, I do not own the IP address space that my virtual server uses. When someone asks for the PTR record for my mailserver's IP address, it goes to the DNS server of the outfit I rent from. Since it's a commercial offering, their management portal has an option to set the PTR record as I wish.

You can overload it locally, but it doesn't do you much good as only your hosts will see the records. The rDNS zone maps will start with something like:

Code:

$ORIGIN .

followed by an SOA record, and:

Code:

$ORIGIN 8.8.8.IN-ADDR.ARPA.
8  IN  PTR  mail.your-domain.com.

The problem you face is the rest of the world will go to ".", query the real root servers, and ultimately walk down the SOA chain for "ARPA", and "IN-ADDR", and get the SOA record for "8" and ultimately arrive at "dns.google.com.", ignoring your DNS config entirely.

 

[ornias]

Depending on where you're from, there are home connection with static IP and access to set the reverse DNS lookup ;-)
It all depends on either your ISP or (if using a seperate hosting provider) your provider.

 

[rvassar]

Depending on where you're from, there are home connection with static IP and access to set the reverse DNS lookup ;-)
It all depends on either your ISP or (if using a seperate hosting provider) your provider.

True. But most ISP's are blocking port 25 traffic these days. I used to get an exemption, but my ISP stopped offering those years ago. This and the rDNS PTR record problem is what drove me to a cheap virtual server.

Also, many mail servers will reject anything that even sort of looks like a residential rDNS record. Postfix example I run:

Code:

/^(dhcp|dialup|ppp|adsl)[^.]*[0-9]/ REJECT

My most hit single rule is:

Code:

/^unknown$/                      REJECT Spam

Which rejects hosts that do not have an rDNS record at all.

 

[thewitcher]

That's not how the internet works...

The mail server that your mail server is trying to send to needs to be able to confirm that you're really who you say you are (confirming against your claimed hostname, the IP they see you coming from and the MX, SPF and DMARC records if you have them) and look up in a public DNS server for the record xx.x.xxx.xxx.in-addr.arpa (where the xx.x.xxx.xxx is actually your IP address backwards by octets) and get back the name your server is claiming to be at the start of the EHLO mail conversation.

The only way you can make that happen on their server is to have the person who owns that "domain" (which is really the owner of the Class C or bigger IP address range, so for you, it's your ISP). Changing files on TrueNAS will make no impact.

Most of the services used to limit SPAM also view mail servers located in ISPs dynamic ranges as potential sources for SPAM, so you're likely to get tagged as SPAM or untrusted even if you can get the reverse record (but remain with a dynamic address).

Sorry to be the messenger of bad news if you thought there would be an easy solution that matched with what you wanted to do.

If you're only worried about sending mails to servers that you own, you can do what you're suggesting on all of them and it might be enough, but to deal with the wide world of public email, you're not going to get far.

Right, the internet doesn't work that way.

xx.x.xxx.xxx.in-addr.arpa not found: 3 (NXDOMAIN)

Name server is missing. I have configured a reverse zone

68 IN PTR examle.com.
68 IN PTR mail.example.com.

68 - this is just an example

Now the validity is looking for return addresses

host mail.example.com has adres xx.xx.xx.xx ------> my public ip

Right, SPF, DMARC, DKIM records are missing

------------------------------------------------------

How do I add a txt record to a DNS zone?

It writes the txt record for SPF in the file (namedb / master / example.db) last

examle.com. IN TXT "v=spf1 a mx include:_spf.example.com -all"

---------------------------------------------------------------
checking

host txt I receive Host txt not found: 3(NXDOMAIN)

and

host -t txt example.com I receive example.com has no TXT record

How can I fix it?

 

[thewitcher]

True. But most ISP's are blocking port 25 traffic these days. I used to get an exemption, but my ISP stopped offering those years ago. This and the rDNS PTR record problem is what drove me to a cheap virtual server.

Also, many mail servers will reject anything that even sort of looks like a residential rDNS record. Postfix example I run:

Code:

/^(dhcp|dialup|ppp|adsl)[^.]*[0-9]/ REJECT

My most hit single rule is:

Code:

/^unknown$/                      REJECT Spam

Which rejects hosts that do not have an rDNS record at all.

I am thinking about switching to a public static IP address. I am trying to configure SPF, DMARC, DKIM records because many servers accept these protections.

My messages are rejected without these records or go to the spam folder.

 

[rvassar]

Your SPF record doesn't look right. Mine has multiple records. My server has a hostname, and also goes by "mailhost" as an alternate hostname, so I have to publish records for both. Something like:

In the SOA record section, under MX and NS records:

Code:

TXT     "v=spf1 mx mx:example.com ip4:68.x.x.x ip6:6800::1 -all"
TXT     "spf2.0/pra"

Followed by:

Code:

$ORIGIN example.com.
hostname      1800   IN      TXT     "v=spf1 a -all"
mailhost        1800    IN      TXT     "v=spf1 a -all"
mailhost        1800    IN      TXT     "spf2.0/pra"
dkim._domainkey 86400   IN      TXT     "v=DKIM1; p=ABCDEFABCDEFABCDEFABCDEFABCDEFABCDEFABCDEF (really long key string... generated from OpenDKIM)"

But your records seem to be actually missing. Did you increment your zone serial number, and reload the zone map? You might need to look in your DNS server logs and figure out why it's not picking up the new records.

 

[thewitcher]

Your SPF record doesn't look right. Mine has multiple records. My server has a hostname, and also goes by "mailhost" as an alternate hostname, so I have to publish records for both. Something like:

In the SOA record section, under MX and NS records:

Code:

TXT     "v=spf1 mx mx:example.com ip4:68.x.x.x ip6:6800::1 -all"
TXT     "spf2.0/pra"

Followed by:

Code:

$ORIGIN example.com.
hostname      1800   IN      TXT     "v=spf1 a -all"
mailhost        1800    IN      TXT     "v=spf1 a -all"
mailhost        1800    IN      TXT     "spf2.0/pra"
dkim._domainkey 86400   IN      TXT     "v=DKIM1; p=ABCDEFABCDEFABCDEFABCDEFABCDEFABCDEFABCDEF (really long key string... generated from OpenDKIM)"

But your records seem to be actually missing. Did you increment your zone serial number, and reload the zone map? You might need to look in your DNS server logs and figure out why it's not picking up the new records.

Yes, I increased the zone serial number from 2021041201 to 2021041202. Tomorrow I will start with 2021041301

Where is the BIND9 server log because it is not in the var / log directory ?

How to reload the zone map ?

 

[rvassar]

Yes, I increased the zone serial number from 2021041201na 2021041202. Tomorrow I will start with 2021041301

Q: Was it "2021041201na" or "2021041201" and the "na" a forum typo? I'm just not sure how BIND9 would handle that as a SERIAL. BIND gets really touchy about SERIAL only ever incrementing. If you fail to increment it, or try and decrement it, the secondary DNS servers fail to pick up the changes, which is possibly what you're seeing. There is a whole procedure for rolling over SERIAL back to "1", which involves shortening up your SOA TTL, and a bunch of other mucking about. Hence why most zones stick with YYYYMMDDHH or some trivial variation.

Where is the BIND9 server log because it is not in the var / log directory ?

How to reload the zone map ?

It depends on your distro / config. Mine logs to /var/log/syslog.

You request a zone map reload by throwing a "SIGHUP" at the daemon, ala... "kill -HUP <PID>".

 

[thewitcher]

Q: Was it "2021041201na" or "2021041201" and the "na" a forum typo? I'm just not sure how BIND9 would handle that as a SERIAL. BIND gets really touchy about SERIAL only ever incrementing. If you fail to increment it, or try and decrement it, the secondary DNS servers fail to pick up the changes, which is possibly what you're seeing. There is a whole procedure for rolling over SERIAL back to "1", which involves shortening up your SOA TTL, and a bunch of other mucking about. Hence why most zones stick with YYYYMMDDHH or some trivial variation.



It depends on your distro / config. Mine logs to /var/log/syslog.

You request a zone map reload by throwing a "SIGHUP" at the daemon, ala... "kill -HUP <PID>".

Sorry, typo. I corrected the above "na" to "on".
Correct
''Yes, I increased the zone serial number from 2021041201 to 2021041202''
''Tomorrow I will start with 2021041301''

 

[thewitcher]

I was left with the DKIM and DMARC configuration.

Running DKIM milter in the server logs (var/log/maillog) I have the following message:

Apr 27 12:42:32 opendkim[27902]: OpenDKIM Filter v2.10.3 starting (args: -l -u mailnull -P /var/run/milteropendkim/pid -x /usr/local/etc/mail/opendkim.conf)

How can the problem be solved?

I added the path to the pid file in opendkim.conf /var/run/milteropendkim/pid

 

[sretalla]

Apr 27 12:42:32 opendkim[27902]: OpenDKIM Filter v2.10.3 starting (args: -l -u mailnull -P /var/run/milteropendkim/pid -x /usr/local/etc/mail/opendkim.conf)

This looks to me like information telling you that the process is started.

What error are you trying to correct?

 

[thewitcher]

This looks to me like information telling you that the process is started.

What error are you trying to correct?

I just thought it was a bug.

service milter-opendkim status
milteropendkim is running as pid 27902.

I added DKIM txt records to the dns zone

DKIM starts up but the website toolbox.googleapps.com shows that it is not configured (DKIM is not set up).

There is nothing else in the server logs

I don't know where to look now.

 

[sretalla]

DKIM requires setup on the sending server (private and public key storage and generation) and in public DNS (to share the public Key).

You can look it up in google and find plenty of helpers on how to configure it.

 

[rvassar]

You need to publish a public DKIM key for Google to query. That's the "dkim._domainkey" TXT record in my earlier post.