3
DNS Setup
Question asked by Richard Frank - 1/19/2021 at 5:21 AM
Unanswered
hello,
I have some false positives and I see in the logs that those fp's fail for reverse dns
when I do a ping -a <ip nr> on the server then the name resolves
just want to check if my dns on the mailserver is setup properly.

windows server 2016 with DNS Server service installed
DNS is setup to use Root Hints, forwarders are empt
On the NIC one DNS server is configured 127.0.0.1

In smartermail also one DNS server is configured 127.0.0.1.

is this the way DNS is setup properly in combination with smartermail?

11 Replies

Reply to Thread
0
Richard Frank Replied
little bump,

what is your dns setup, do you use your own dns servers, of public ones?
0
Steve Norton Replied
Your DNS setup looks fine. You shouldn't use public servers as that will have a negative impact on your Spam check accuracy. We talked a little about DNS here. What are your RBL average times?
0
Richard Frank Replied
Hey Steve, Thanx for your reply,
Backscatter137ips.backscatterer.org5


barracuda119b.barracudacentral.org30


CBL39cbl.abuseat.org10


HostKarma - Blacklist660hostkarma.junkemailfilter.com10


HostKarma - Brownlist0hostkarma.junkemailfilter.com11


HostKarma - Whitelist-hostkarma.junkemailfilter.com-5


MailSpike L336rep.mailspike.net5


MailSpike L40rep.mailspike.net5


MailSpike L50rep.mailspike.net5


McAfee367cidr.bl.mcafee.com5


SEM - Black242bl.spameatingmonkey.net5


SpamCop337bl.spamcop.net10


Spamhaus - CSS20zen.spamhaus.org10


Spamhaus - PBL0zen.spamhaus.org10


Spamhaus - SBL0zen.spamhaus.org10


SpamRats1410spam.spamrats.com5


Surriel676psbl.surriel.com10


Truncate15truncate.bgudb.net10


UCEProtect Level 1179dnsbl-1.uceprotect.net10


UCEProtect Level 2190dnsbl-2.uceprotect.net10


UCEProtect Level 3145dnsbl-3.uceprotect.net5
0
Steve Norton Replied
You have an interesting mix of fair and slow response times, questions are;
Does you server have occasional resource issues?
Are there times when a network link is maxed out between your server and the Internet?
0
Richard Frank Replied
've been monitoring this morning and everything is steady with bandwith cpu memory etc 
But still problems that server have problems with rDNS. also false results for checking spf records.

And thanks for the link to the other topic. I have imported the spam settings from github.

Average time is good, see list below
Anonmails DNSBL    27    spam.dnsbl.anonmails.de    5                
Backscatter    68    ips.backscatterer.org    5                
barracuda    88    b.barracudacentral.org    8                
Blocklist.DE    22    bl.blocklist.de    8                
CBL    16    cbl.abuseat.org    5                
DNSWL - Low    55    list.dnswl.org    -2                
DNSWL - High    0    list.dnswl.org    -5                
DNSWL - Medium    0    list.dnswl.org    -4                
DNSWL - None    0    list.dnswl.org    -2                
Habeas SafeList 127.0.0.50    145    accredit.habeas.com    -5                
HostKarma - Blacklist    0    hostkarma.junkemailfilter.com    8                
HostKarma - Brownlist    190    hostkarma.junkemailfilter.com    3                
HostKarma - Whitelist    -    hostkarma.junkemailfilter.com    -5                
HostKarma - Yellowlist    0    hostkarma.junkemailfilter.com    2                
MailSpike L3    17    rep.mailspike.net    5                
MailSpike L4    0    rep.mailspike.net    5                
MailSpike L5    0    rep.mailspike.net    5                
Mailspike RBL    25    bl.mailspike.net    10                
McAfee    127    cidr.bl.mcafee.com    5                
SEM - Black    117    bl.spameatingmonkey.net    5                
Sender Score 0-9    0    score.senderscore.com    5                
Sender Score 95-100    59    score.senderscore.com    -5                
SORBS - No Server    61    noserver.dnsbl.sorbs.net    10                
SORBS - NoMail    260    nomail.rhsbl.sorbs.net    10                
SpamCop    33    bl.spamcop.net    10                
Spamhaus - CSS    18    zen.spamhaus.org    10                
Spamhaus - PBL    0    zen.spamhaus.org    10                
Spamhaus - SBL    0    zen.spamhaus.org    10                
SpamRats    122    spam.spamrats.com    5                
SpamRATS NoPTR    118    noptr.spamrats.com    2                
Surriel    130    psbl.surriel.com    10                
Truncate    12    truncate.bgudb.net    10                
UCEProtect Level 1    50    dnsbl-1.uceprotect.net    10                
UCEProtect Level 2    43    dnsbl-2.uceprotect.net    10                
UCEProtect Level 3    46    dnsbl-3.uceprotect.net    5        


0
Richard Frank Replied
There have been a few updates too I see now, I'll update the server tonight.
0
Steve Norton Replied
Enable DNS server debug logging, from an elevated PowerShell prompt on the server -
Set-DnsServerDiagnostics -LogFilePath C:\Temp\dns.log; Set-DnsServerDiagnostics -All $true; Set-DnsServerDiagnostics -FullPackets $false

You can then match failed lookups to log entries.
0
Richard Frank Replied
Hey Steve, thanks for the ps command.

when you take a look at these logs, first smtp log, second delivery log. Both for the same message. SMTP finds pointer, but delivery log says Reverse DNS Lookup: 20, ReverseFailed

[2021.01.23] 00:07:22.012 [80.242.238.141][21322875] rsp: 220 mail.soko.nl Fri, 22 Jan 2021 23:07:22 +0000 UTC | SMEV
[2021.01.23] 00:07:22.012 [80.242.238.141][21322875] connected at 23-1-2021 00:07:22
[2021.01.23] 00:07:22.012 [80.242.238.141][21322875] Country code: NL
[2021.01.23] 00:07:22.043 [80.242.238.141][21322875] cmd: EHLO srv1.targateam.nl
[2021.01.23] 00:07:22.043 [80.242.238.141][21322875] rsp: 250-mail.soko.nl Hello [80.242.238.141]250-SIZE 41943040250-AUTH LOGIN CRAM-MD5250-STARTTLS250-8BITMIME250-DSN250 OK
[2021.01.23] 00:07:22.090 [80.242.238.141][21322875] cmd: STARTTLS
[2021.01.23] 00:07:22.090 [80.242.238.141][21322875] rsp: 220 Start TLS negotiation
[2021.01.23] 00:07:22.137 [80.242.238.141][21322875] cmd: EHLO srv1.targateam.nl
[2021.01.23] 00:07:22.137 [80.242.238.141][21322875] rsp: 250-mail.soko.nl Hello [80.242.238.141]250-SIZE 41943040250-AUTH LOGIN CRAM-MD5250-8BITMIME250-DSN250 OK
[2021.01.23] 00:07:22.187 [80.242.238.141][21322875] cmd: MAIL FROM:<support@wvksclder.nl> RET=HDRS ENVID=60c1840c-033c-49fd-b3a6-acb0d9b4b8ae SIZE=4084
[2021.01.23] 00:07:22.187 [80.242.238.141][21322875] senderEmail(1): support@wvksclder.nl parsed using: <support@wvksclder.nl>
[2021.01.23] 00:07:29.756 [80.242.238.141][21322875] rsp: 250 OK <support@wvksclder.nl> Sender ok
[2021.01.23] 00:07:29.756 [80.242.238.141][21322875] Sender accepted. Weight: -5. Block threshold: 30.
[2021.01.23] 00:07:29.787 [80.242.238.141][21322875] cmd: RCPT TO:<dummy@email.nl> NOTIFY=FAILURE
[2021.01.23] 00:07:29.787 [80.242.238.141][21322875] rsp: 250 OK <dummy@email.nl> Recipient ok
[2021.01.23] 00:07:29.819 [80.242.238.141][21322875] cmd: DATA
[2021.01.23] 00:07:29.819 [80.242.238.141][21322875] Performing PTR host name lookup for 80.242.238.141
[2021.01.23] 00:07:29.819 [80.242.238.141][21322875] PTR host name for 80.242.238.141 resolved as srv1.targateam.nl
[2021.01.23] 00:07:29.819 [80.242.238.141][21322875] rsp: 354 Start mail input; end with <CRLF>.<CRLF>
[2021.01.23] 00:07:29.850 [80.242.238.141][21322875] senderEmail(2): support@wvksclder.nl parsed using: "uw vakschilder" <support@wvksclder.nl>
[2021.01.23] 00:07:29.850 [80.242.238.141][21322875] Sender accepted. Weight: -5. Block threshold: 30.
[2021.01.23] 00:07:29.881 [80.242.238.141][21322875] rsp: 250 OK
[2021.01.23] 00:07:29.881 [80.242.238.141][21322875] Received message size: 4092 bytes
[2021.01.23] 00:07:29.881 [80.242.238.141][21322875] Successfully wrote to the HDR file. (c:\SmarterMail\Spool\SubSpool0\-429602691769.hdr)
[2021.01.23] 00:07:29.881 [80.242.238.141][21322875] Data transfer succeeded, writing mail to -429602691769.eml (MessageID: <6E499798E9224D9EA9EA94212CB8C5F8@srv1>)
[2021.01.23] 00:07:29.897 [80.242.238.141][21322875] cmd: QUIT
[2021.01.23] 00:07:29.897 [80.242.238.141][21322875] rsp: 221 Service closing transmission channel
[2021.01.23] 00:07:29.897 [80.242.238.141][21322875] disconnected at 23-1-2021 00:07:29

[2021.01.23] 00:07:31.859 [02691769] Delivery started for support@wvksclder.nl at 00:07:31
[2021.01.23] 00:07:43.914 [02691769] Added to SpamCheckQueue (1 queued; 0/30 processing)
[2021.01.23] 00:07:43.914 [02691769] [SpamCheckQueue] Begin Processing.
[2021.01.23] 00:07:43.914 [02691769] Blocked Sender Checks started.
[2021.01.23] 00:07:43.914 [02691769] Blocked Sender Checks completed.
[2021.01.23] 00:07:43.992 [02691769] Spam Checks started.
[2021.01.23] 00:07:46.002 [02691769] Spam Check results: [REVERSE DNS LOOKUP: 20,ReverseFailed], [_SPF: 0,Neutral], [_DKIM: 0,None], [BACKSCATTER: 0,passed], [MAILSPIKE L3: 0,passed], [MAILSPIKE L4: 0,passed], [MAILSPIKE L5: 0,passed], [MCAFEE: 0,passed], [SEM - BLACK: 0,passed], [SPAMCOP: 0,passed], [SPAMHAUS - CSS: 0,passed], [SPAMHAUS - PBL: 0,passed], [SPAMHAUS - SBL: 0,passed], [SPAMRATS: 0,passed], [SURRIEL: 0,passed], [TRUNCATE: 0,passed], [UCEPROTECT LEVEL 1: 0,passed], [UCEPROTECT LEVEL 2: 0,passed], [UCEPROTECT LEVEL 3: 0,passed], [SEM-URI: 0,passed], [SURBL: 3 results 15,failed], [URIBL BLACK: 0,passed], [URIBL RED: 0,passed], [SENDER SCORE 95-100: 0,passed], [DNSWL -  LOW: 0,passed], [DNSWL - HIGH: 0,passed], [DNSWL - MEDIUM: 0,passed], [DNSWL - NONE: 0,passed], [HABEAS SAFELIST 127.0.0.50: 0,passed], [ANONMAILS DNSBL: 0,passed], [CBL: 0,passed], [HOSTKARMA - BROWNLIST: 0,passed], [HOSTKARMA - YELLOWLIST: 0,passed], [SENDER SCORE 0-9: 0,passed], [SORBS - NO SERVER: 0,passed], [SORBS - NOMAIL: 0,passed], [BARRACUDA: 0,passed], [HOSTKARMA - BLACKLIST: 0,passed], [MAILSPIKE RBL: 0,passed], [BLOCKLIST.DE: 0,passed], [SPAMRATS NOPTR: 0,passed]
[2021.01.23] 00:07:46.002 [02691769] Spam Checks completed.
[2021.01.23] 00:07:46.002 [02691769] Removed from SpamCheckQueue (0 queued or processing)
[2021.01.23] 00:07:46.917 [02691769] Added to LocalDeliveryQueue (0 queued; 1/50 processing)
[2021.01.23] 00:07:46.917 [02691769] [LocalDeliveryQueue] Begin Processing.
[2021.01.23] 00:07:46.917 [02691769] Starting local delivery to dummy@email.nl
[2021.01.23] 00:07:46.917 [02691769] Process delivery status notification step from local recipient success. Recipient: [dummy@email.nl], Notify: [failure], Delivered: [True], Forwarded: [False], Deleted: False
[2021.01.23] 00:07:46.917 [02691769] Delivery for support@wvksclder.nl to dummy@email.nl has completed (Delivered to Junk Email) Filter: Spam (Weight: 35), Action (Global Level): MoveToFolder
[2021.01.23] 00:07:46.917 [02691769] End delivery to dummy@email.nl (MessageID: <6E499798E9224D9EA9EA94212CB8C5F8@srv1>)
[2021.01.23] 00:07:46.917 [02691769] Removed from LocalDeliveryQueue (0 queued or processing)
[2021.01.23] 00:07:49.931 [02691769] Removing Spool message: Killed: False, Failed: False, Finished: True
[2021.01.23] 00:07:49.931 [02691769] Delivery finished for support@wvksclder.nl at 00:07:49    [id:-429602691769]

for now I'm gonna disable reverse dns check for the spool filtering

is there a difference between rdns lookup for smtp and for delivery(spool)? 
0
Steve Norton Replied
If the SMTP lookup worked the record would be in the cache on the Windows DNS server, the TTL on that record is over 15 minutes. Do you have DNS caching enabled in SM? Logging on the Windows DNS server would show the SM service doing the checks.
Rather than disabling the check for spool filtering why don't you give it score of 0 so that you can keep the diagnostics going.
0
Arthur Grandovskis Replied
I have a powerful physical server with a virtual machine on which I have Smartermail running with plenty of resources. My server is hardly being used for anything. I have a very small traffic in terms of emails, on average 100 sent/received emails a day. I actively blacklist IP addresses that constantly keep trying to break in.
I ran a domain health tool: https://mxtoolbox.com/domain/
It come back saying that my server is slow at replying, over 8ms. I had a closer look at incoming spam settings and both: RBL: SORBS-NOSPAM and RBL: SPAMRATS are taking very long to process: 1643ms and 1087ms respectively.
Disabled both, reply is now under 1ms.
1
Reto Replied
This thread just gave me reason to have a look at my RBL response times and found one that was slow. It would be cool if there is a event that could be configured so we get a notification when a RBL takes longer than x. 

Reply to Thread