• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved Problem with reverse DNS (SMTP Banner)

Julian Johannsen

Basic Pleskian
OS: Debian 8.7 / Plesk Onyx (Version 17.0.17 Update #13)

Dear pleskians,

we have (i hope) a little problem.

We have 3 domains: domainA.tld + domainB.tld + domainC.tld and each domain has a own IP address (Subscription Setting)

domainA = 1.1.1.1 --> MAIN (Plesk)
domainB = 1.1.1.1 --> Customer Subscription
domainC = 2.2.2.2 --> Own subscription

Tools & Settings > Mail Server Settings > Outgoing mail mode --> Send from domain IP addresses and use domain names in SMTP greeting

We want to separate customers and our own domains. But if we test the mail server of domainC.tld with mxtoolbox.com (SMTP Banner Check) the domains resolves to domainA.tld (Reverse DNS does not match SMTP Banner)

The reverse DNS entry is OK --> Only the SMTP banner is wrong

Results
SMTP Transaction Time --> 3.955 seconds - Good on Transaction Time
SMTP Open Relay --> OK - Not an open relay.
SMTP Connection Time --> 1.133 seconds - Good on Connection time
SMTP TLS --> OK - Supports TLS.
SMTP Valid Hostname --> OK - Reverse DNS is a valid Hostname
SMTP Reverse DNS Mismatch --> OK - 2.2.2.2 resolves to domainC.tld
SMTP Banner Check --> Reverse DNS does not match SMTP Banner

Session Transcript
Connecting to 2.2.2.2
220 mail.domainA.tld ESMTP Postfix (Debian/GNU) [981 ms]
EHLO PWS3.mxtoolbox.com
250-mail.domainC.tld
250-PIPELINING
250-SIZE 15360000
250-ETRN
250-STARTTLS
250-AUTH DIGEST-MD5 CRAM-MD5 PLAIN LOGIN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN [726 ms]
MAIL FROM:<[email protected]>
250 2.1.0 Ok [727 ms]
RCPT TO:<[email protected]>

We found a workaround
Postfix "master.cf"
replace the line with "smtp" with:

1.1.1.1:smtp inet n - - - - smtpd -o myhostname=mail.domainA.tld
2.2.2.2:smtp inet n - - - - smtpd -o myhostname=mail.domainC.tld

Does this work for me? Should this configuration be automatically created by plesk? Is this configuration overwritten with a plesk update?

Thanks for your ideas and help
 
Hi, i have the same issue here it's seams that Plesk not solve this Banner issue.
for a few email delivery, your can use with this misconfiguration.
for bulk mail it's not recommended as well, as Plesk.
 
Hi,
I have the same problem and the same setting (OS: Debian 8.7 / Plesk Onyx (Version 17.0.17 Update #13)).
I tried your workaround, but in my case it doesn't work for the 2nd domain on the 2nd IP (dedicated). Emails sent from this domain are refused by web / gmx and some other mail servers.
All domains on the server IP (main IP) can send and receive emails.
Does this mean that all domains with mail services should be installed with the main IP?
 
Send from domain IP addresses and use domain names in SMTP greeting
Bad idea on servers that run more than one domain. It will at least place the IP on some blacklists.

SMTP is using the same (main domain IP) for all mail going out, and this should always match the server domain name, not the customer domain name. Else spam traps will think the server is spamming, because it is a common spammers' practice to use different domain greetings on identical IP addresses.
 
I don't agree. In first place It should be a customer option. Second, you are wrong I can have several IP's for some domains and I will get for foreign servers "451 4.1.8 Possible forged hostname..." for this issue with Plesk (wrong SMTP banner). Also if you check MxToolBox the IP should have a banner for sending domain as domain name sender (not mismatch name).

In principle both is very easy to solve by Plesk.
To fix the problem with the Reverse DNS mismatch, it requires only the possibility in DNS Template another A and AAAA create entry which then refers to the reverse DNS entry. What is currently not possible, as more and <domain> is specified for the A or AAAA DNS entry in Plesk template. Here there is no possibility an A or AAAA entry to create the looks for example: mx.rdns1.zzz. Since Plesk always <domain> is specified it comes naturally to this reverse DNS mismatch.
 
Hello,
This issue is easy to fix.
First lets be clear about something. A mail server could have only 1 banner, so you could create a new domain or use an existing one for the mail server.
then on that domain make an A record pointing to the mail server with the same name as the banner example banner.securedmailserver.com with that being the banner
then on each domain you want to send and receive mail from the sever, you just create a cname record example smtp.domainA.com pointing to banner.securedmailserver.com
then you just create mx record with smtp.domainA.com. Easy... :)
Or you could just give them a generic mail server and let them use banner.securedmailserver.com as their mx record

Good luck,

I hope i helped
 
Hello,
This issue is easy to fix.
First lets be clear about something. A mail server could have only 1 banner, so you could create a new domain or use an existing one for the mail server.
then on that domain make an A record pointing to the mail server with the same name as the banner example banner.securedmailserver.com with that being the banner
then on each domain you want to send and receive mail from the sever, you just create a cname record example smtp.domainA.com pointing to banner.securedmailserver.com
then you just create mx record with smtp.domainA.com. Easy... :)
Or you could just give them a generic mail server and let them use banner.securedmailserver.com as their mx record

Good luck,

I hope i helped
I must be doing something wrong because Plesk will not allow me to do this..
 
To get mail delivered to most mailservers one needs a unique HELO-name that is able to resolve to that IP-address.
The PTR-record of that IP-address should correspond with the HELO-name.
The IP from where the mail is coming should correspond with the resolved HELO-name.

It's best to keep the HELO-name simple and it should only be 1 level deep.

On top of that you can have an SPF-record on the HELO-name "v=spf1 a -all" to obtain extra brownie points on some servers.

The domain/HELO/PTR/Source IP should all be equal
They do not need to be equal to the senderdomain.
 
@mr-wolf a practical example would really help
what do you change in the master.cf ?
Nothing is changed in master.cf
I changed some things in main.cf, but these are not relevant within this context.

In Plesk you can give the server a name.
Let's make it srv1.kontopoulos.com.
Note that this name has only 2 embedded dots.
Let's assume your server has the IP 65.200.30.12
You then need to point srv1.kontopoulos.com to the IP 65.200.30.12

This is easy as you own the domain kontopoulos.com (we assumed for this example).

Now comes the tricky part.
The IP 65.200.30.12 is not owned by you, but assigned to you by your provider. The owner of that IP is RIPE, but they assigned it to your provider and they are the ones that have a DNS server running that can resolve "their" IP's to a name.
That's the reverse of what DNS normally does.
Therefore the name "reverse DNS" or PTR-record.

On a typical consumer line these PTR-records contain the name of the provider and the IP with their dots replaced by dashes.

host 65.200.30.12
65-200-30-12.yourhost.gr

Spam filters will reject mail from such an IP for several reasons.

- the PTR contains an IP
- the PTR doesn't correspond the HELO
- the PTR doesn't correspond the forward DNS.

You need to speak to your provider (or they have a panel for it) to change the PTR into srv1.kontopoulos.com

If they don't you can't use your server as mail server. A solution could be to define a "smart host" and let someone else, for instance your provider, relay your mail.

On top you can create an SPF-record for the domain srv1.kontopoulos.com containing "v=spf1 a -all"


There's much more to it, but this is a start...

Plesk Settings (goes to Postfix among others)
HELO = srv1.kontopoulos.com

DNS (you)
A srv1.kontopoulos.com = 65.200.30.12
TXT srv1.kontopoulos.com = "v=spf1 a -all"

DNS (your ISP)
PTR 65.200.30.12 = srv1.kontopoulos.com

The name of the server does NOT have to be the same as the domains it's sending mail for.

You can't send mail for domains of my clients because I have protected all them with DKIM and SPF....
Well, you can send them of course, but you will have a hard time getting them delivered to any decent mail server.
 
Last edited:
Hi,
I'm using this simple txt record : v=spf1 +a +mx -all +a:your.plesk.server.name +ip4:IP.your.server
for all domains configure on server.

This help your customer to send email without being detected as spam.
 
You're completely missing the point.

That's not a normal SPF (like the one on your sender domain), I didn't cover that part.
It's the SPF for the HELO and it's therefore extremely restrictive.
You probably never heard of this kind of SPF.

For this same reason it's therefore not that important as the recipients need to check for that to have any effect.
I do it because it exists

And your SPF contains an error and has a lot of redundancy.
The "-all" should be the last directive
 
Last edited:
@mr-wolf thanks for taking the time
I already knew this part and I am OK with 1 ip and sending email from that ip

I thought you actually asnwered the question of the original poster that has multiple IPs and the SMTP banner is not correct on the alternative IPs
 
@mr-wolf thanks for taking the time
I already knew this part and I am OK with 1 ip and sending email from that ip

I thought you actually asnwered the question of the original poster that has multiple IPs and the SMTP banner is not correct on the alternative IPs
I actually did...
The "SMTP banner" should be read as the "HELO".

The other IP's need to have their own PTR's and forward DNS matching each other.

The HELO will only match to 1 IP.
That IP should have a PTR matching the HELO.

Probably the secondary IP's need to have the same TLD, but I'm not sure about that.

HELO = srv1.kontopoulos.com

srv1.kontopoulos.com = 12.10.12.10 = srv1.kontopoulos.com
srv2.kontopoulos.com = 12.10.12.11 = srv2.kontopoulos.com
srv3.kontopoulos.com = 12.10.12.12 = srv3.kontopoulos.com


If I implied or said that the sending IP needs to correspond the HELO, I was wrong.
I have a multiple IP server myself and it corresponds to what I wrote in my example.



Reverse DNS is not the same as banner/HELO
 
Last edited:
with currect configuration how do you set plesk/postfix to give the correct hostname for alternative IP
I have followed many tutorials here and elsewhere and nothing does this

I have achieved to have the main IP/ DOMAIN to send email correctly with correct HELO
but for secondary ip everything is OK EXCEPT the HELO comes up as the MAIN domain HELO
which is not good for hotmail/outlook/msn server which mark the emails as spam

specifically I have followed
postfix multiple IP SMTP banner
and this
Resolved - Problens with SSL/TLS certificate in client mail
 
with currect configuration how do you set plesk/postfix to give the correct hostname for alternative IP
I have followed many tutorials here and elsewhere and nothing does this

I have achieved to have the main IP/ DOMAIN to send email correctly with correct HELO
but for secondary ip everything is OK EXCEPT the HELO comes up as the MAIN domain HELO
which is not good for hotmail/outlook/msn server which mark the emails as spam

specifically I have followed
postfix multiple IP SMTP banner
and this
Resolved - Problens with SSL/TLS certificate in client mail
Are you sure that's the reason Microsoft rejects it?

Microsoft treats domains without a DMARC, DKIM and SPF as 2nd rate. On top of that you should subscribe their SNDS program

Smart Network Data Services

It doesn't reject mails from my server.
 
Well I have everything sorted except from the DMARC but I don't think DMARC is the problem could it ?
(SNDS the ips are clean)

do you mean to say that you have 2nd IP and the HELO on the 2nd IP is not correct ? and you can still send to MSN / HOTMAIL ?

I can not be DMARC because the main domain can send without DMARC set but HELO is correct
and 2nd ip only has no proper HELO and gets rejected (does not even get a rejection just get " Queued mail for delivery" in the maillog and email dissappears)

but was in blacklist 2 weeks ago ... could that be it ?
 
Hi Giorgos Kontopoulos,

you avoid ( possible ) discussions about your configuration, you should consider to step out of the dark and provide the related configuration files, related DNS - entries and it could be a good idea to provide the FQDN 's and IPs for further investigations. At the moment, we are only able to help you theoretically, which might not at all help, if you have current misconfigurations. ;)
 
Just sent a message using one of those secondary IP's and in the headers of the (received) message there is no mention of any mismatch.
It sees the secondary IP and resolves its PTR-record and shows it.
It didn't land in the spam box, which is remarkable as that server did not sign the mail (it's an old server, CentOS 5.11 that needs to be replaced soon and has no DKIM).

Anyhow....
I implemented what you think you need and I can see it works....
Now Microsoft sees the HELO mx2.wolf.com instead of ns3.wolf.com which is the name of the server.
The only thing needed is the added directive smtp_helo_name= and a "postfix reload".

But beware that Microsoft has their own policies which they don't disclose in full (because they are erroneous imho).

BEFORE
cat /etc/postfix/master.cf
Code:
plesk-32.30.13.50- unix - n n - - smtp -o smtp_bind_address=32.30.13.50 -o smtp_bind_address6= -o smtp_address_preference=ipv4
plesk-32.30.13.51- unix - n n - - smtp -o smtp_bind_address=32.30.13.51 -o smtp_bind_address6= -o smtp_address_preference=ipv4
plesk-32.30.13.52- unix - n n - - smtp -o smtp_bind_address=32.30.13.52 -o smtp_bind_address6= -o smtp_address_preference=ipv4
plesk-32.30.13.53- unix - n n - - smtp -o smtp_bind_address=32.30.13.53 -o smtp_bind_address6= -o smtp_address_preference=ipv4

Part of the header on my personal hotmail address

Code:
Received: from mx2.wolf.com ([32.30.13.52]) by SNT004-MC10F17.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);

Code:
Received-SPF: Pass (protection.outlook.com: domain of wolf.com designates
 32.30.13.52 as permitted sender) receiver=protection.outlook.com;
 client-ip=32.30.13.52; helo= ns3.wolf.com;


AFTER
cat /etc/postfix/master.cf
Code:
plesk-32.30.13.50- unix - n n - - smtp -o smtp_bind_address=32.30.13.50 -o smtp_bind_address6= -o smtp_address_preference=ipv4
plesk-32.30.13.51- unix - n n - - smtp -o smtp_helo_name=mx1.wolf.com -o smtp_bind_address=32.30.13.51 -o smtp_bind_address6= -o smtp_address_preference=ipv4
plesk-32.30.13.52- unix - n n - - smtp -o smtp_helo_name=mx2.wolf.com -o smtp_bind_address=32.30.13.52 -o smtp_bind_address6= -o smtp_address_preference=ipv4
plesk-32.30.13.53- unix - n n - - smtp -o smtp_helo_name=mx1.wolf.com -o smtp_bind_address=32.30.13.53 -o smtp_bind_address6= -o smtp_address_preference=ipv4

Part of the header on my personal hotmail address

Code:
Received: from mx2.wolf.com ([32.30.13.52]) by SNT004-MC10F17.hotmail.com over TLS secured channel with Microsoft SMTPSVC(7.5.7601.23143);

Code:
Received-SPF: Pass (protection.outlook.com: domain of wolf.com designates
 32.30.13.52 as permitted sender) receiver=protection.outlook.com;
 client-ip=32.30.13.52; helo= mx2.wolf.com;


As I wrote earlier "I have no problem to solve", so I wouldn't know if this "solution" solves your specific problem.
What it clearly does is that Microsoft now sees the changed HELO and that should be enough.

Note that the "Received: from mx2.wolf.com" is already reflected before any change was made.


Still the IP 32.30.13.52 needs to have the PTR-record mx2.wolf.com and mx2.wolf.com should resolve to 32.30.13.52.


The 4 HELO's, ns3.wolf.com, mx1.wolf.com, mx2.wolf.com, mx3.wolf.com can be given the SPF "v=spf1 a/30 -all"


EDIT
I have also no idea which certificate you use on your TLS-connection. As good practice I have a *.wolf.com wildcard certificate on all my servers. I don't see anything in the headers about that, but maybe Microsoft doesn't like it if the certificate doesn't match the HELO, PTR


EDIT 2

To summarize...
I don't think that the HELO should match the PTR of the IP connected to the recipient's server. It should of course match a forward DNS and it would be nice to have an SPF-record matching the IP it's coming from (note that I corrected the SPF-record on my post, the a/30,... In real life it was correct all this time).


I checked what Microsoft it's sending themselves and none of this stuff is matching, but hey, it's Microsoft... They are probably whitelisted everywhere.
I don't accept everything coming from Microsoft. One of my clients is receiving explicit messages from them and these have a different @hotmail.com address. Of course they are coming from their network and it doesn't stop. Not even after several complaints.

Because they are so big, they always win "the argument".
 
Last edited:
Back
Top