4

We use iis 6 to send out emails for our website but some email addresses bouce backs. It only appears to be 2 addresses. There is at least 100 different email addresses sent to at the same time as these. Here are the 2 different messages we get.

First one.

You do not have permission to send to this recipient. For assistance, contact your system administrator. secure.example.com #5.7.1 smtp;550 5.7.1 Fix reverse DNS for xx.xx.xxx.xxx or use your ISP's mail server

Second one.

Could not deliver the message in the time limit specified. Please retry or contact your administrator. secure.example.com #4.4.7

Not sure if they both relate to reverse dns. If you can help or require more information please let me know.

Dave Cheney
  • 18,307
  • 7
  • 48
  • 56

5 Answers5

6

Firstly, your mail server MUST say HELO with it's canonical host name, that is the same value as the hostname command returns when run on the command line. Under postfix this is the value of the myhostname variable in /etc/postfix/main.cf.

Secondly, the forward and reverse pointers for your server in DNS must match, and must match the hostname value above. For example

[dave@odessa ~]$ host odessa.cheney.net
odessa.cheney.net has address 64.85.168.249
[dave@odessa ~]$ host 64.85.168.249
249.168.85.64.in-addr.arpa domain name pointer odessa.cheney.net.

Thirdly, check that your mail server is not acting as a open relay. If your mail server is configured to relay mail from other hosts, you should be very careful to ensure that those hosts themselves are not open relays, or are properly protected from accepting messages from unauthenticated hosts There are plenty of sites out there that will make a check for you, http://www.checkor.com/ for example.

Lastly, with the large sites, some of our mail will marked as spam, it's just the law of averages. It's your responsibility to make sure you comply with the appropriate regulations for send automated or bulk email, like CAN-SPAM. The most important part of this is a straight forward way for people to unsubscribe from your mailing lists. If you make this hard for people then you're users are more likely to hit the large spam button in their mail client which will be fed back to the mail host and will work against your server.

Dave Cheney
  • 18,307
  • 7
  • 48
  • 56
5

Check if the IP address you are using for outgoing SMTP has a DNS PTR record ("Pointer Resource Record"). Not every IP address has a corresponding PTR record, despite the fact that it's recommended in RFC 19212.

You could check the PTR record using an online service, like DNSReport.com. There is a box "IP Information" on the first page.

The second case you mentioned seems to be a temporary problem, probably of the receiving SMTP server.

splattne
  • 28,348
  • 19
  • 97
  • 147
  • Have got the ip information. Here is is IP address: 92.52.108.209 Reverse DNS: [No reverse DNS entry per ns.rackspace.com.] Reverse DNS authenticity: [Unknown] ASN: 15395 ASN Name: UNSPECIFIED (UK Rackspace) IP range connectivity: 1 Registrar (per ASN): RIPE Country (per IP registrar): GB [United Kingdom] Country Currency: GBP [United Kingdom Pounds] Country IP Range: 92.52.64.0 to 92.52.127.255 Country fraud profile: Normal –  Jun 23 '09 at 10:00
  • City (per outside source): Unknown Country (per outside source): UK [United Kingdom] Private (internal) IP? No IP address registrar: whois.arin.net Known Proxy? No Link for WHOIS: 92.52.108.209 –  Jun 23 '09 at 10:00
  • the ip address in the messages relate to example.com but we have a different ip address for secure.example.com. Does a PTR want putting on the same ip address of example.com or scure.example.com –  Jun 23 '09 at 10:14
  • You should ask your provider (Rackspace) to insert a PTR record for the IP address. If it's not possible for them to insert your own domain (e.g. yourmailerserver.example.com), change the FQDN on your default SMTP server to match the corresponding A and PTR records they created. – splattne Jun 23 '09 at 10:25
  • Will get them to create one and will let you know the result. –  Jun 23 '09 at 10:32
  • Have created a ptr record,but now i am getting This is an automatically generated Delivery Status Notification. THIS IS A WARNING MESSAGE ONLY. YOU DO NOT NEED TO RESEND YOUR MESSAGE. Delivery to the following recipients has been delayed. –  Jun 24 '09 at 08:06
  • Hm, I don't think this is related. Does this happen only for certain destination addresses? – splattne Jun 24 '09 at 08:10
  • yes, the same address as the fix reverse dns message and another one –  Jun 24 '09 at 08:20
  • Okay, I think that is better. Seems that the problem with the missing PTR is gone. You'll have to wait if the message will be delivered in the end. If not, you'll receive a follow up warning message. – splattne Jun 24 '09 at 08:34
  • Hm, just one thing: I checked the IP address you provided in a comment on this blacklist site: http://www.mxtoolbox.com/blacklists.aspx - it seems that some services are blacklisting the address. Try to see why they list this ip address. And if it's all okay on your site, try to contact them to remove the address – splattne Jun 24 '09 at 08:41
  • Finally got a message back saying Could not deliver the message in the time limit specified. Please retry or contact your administrator. This was to both address that had the Delivery Status Notification –  Jun 25 '09 at 14:58
  • Did you see my comment about being blacklisted. insert your ip address on http://www.mxtoolbox.com/blacklists.aspx – splattne Jun 25 '09 at 15:19
2

In an effort to curb incoming spam, many mail servers these days do a "reverse DNS lookup". That is, they take a look at the IP address connecting to them and then try and do a reverse DNS lookup to see if there is ANY response.

This prevents any random IP address from becoming a mail server and sending out thousands and thousands of emails.

Some mail servers even go an extra step and have additional points/verification based on WHAT the reverse DNS came back with. For the most part, if you have any sort of reverse DNS set up for your IP you'll be "okay".

If you don't have control over the reverse DNS for your IP address contact your ISP and ask them to create a reverse DNS record (ie. PTR record) for the IP address that is sending out your email.

Alternatively, you could opt to use a mail server (which has a reverse DNS record already in place) or you could use your ISP's mail server and relay your mail through them.

Hope this helps.

KPWINC
  • 11,274
  • 3
  • 36
  • 44
0

Only the first message seems to have any relationship with "Reverse DNS". But, since you edited it to remove the important information (the IP address), it is hard to say more.

bortzmeyer
  • 3,903
  • 1
  • 20
  • 24
0

As the first message is clearly a DNS reverse error, i think the second may be a consequance of the reverse DNS error, the connection attempted was given a time penality by a smtp antispam proxy or the remote smtp server was simply offline.

Maxwell
  • 5,026
  • 1
  • 25
  • 31