We are setting up exchange 2007 standard on Server 03 R2 x64 and we are running into problems. We setup exchange and had our old web host point to our servers IP and DNSenabled port forwarding in the router etc. I think our problemis lying within our DNS Reverse lookups because we can send e-mail to e-mail on the LAN just fine but if I try to send it to my hotmail account for example it says it sends just find but I never receive the E-mail in my hotmail account. Then I try to send from my hotmail account and i get the message undeliverable. This is what it says from my yahoo account: Connected to 76.xxx.xx. xxxbut sender was rejected.Remote host said: 530 5.7.1 Client was not authenticated Of course the xxx are not in there but I guess my question is does anyone have an example of the exact forward and reverse lookups we need for the mail server? I have put in our URL at www.dnsstuff.com and I am getting 2 failures and some warnings which are pointing me to the MX record and it cannot connect to mail servers. Any help would be greatly appreciated because we are on a time restraint. Also exactly what ports need to be forwarded for exchange 2007 for it to work properly. Another thing that it might be is the Microsoft Exchange Transport Service... Any ideas? Thank You Category Status Test Name Information Parent PASS Missing Direct Parent check OK. Your direct parent zone exists, which is good. Some domains (usually third or fourth level domains, such as example.co.us) do not have a direct parent zone ('co.us' in this example), which is legal but can cause confusion. INFO NS records at parent servers Your NS records at the parent servers are:ns49.worldnic.com. [205.178.190.25] [TTL=172800] [CA]ns50.worldnic.com. [205.178.189.25] [TTL=172800] [CA][These were obtained from b.gtld-servers.net] PASS Parent nameservers have your nameservers listed OK. When someone uses DNS to look up your domain, the first step (if it doesn't already know about your domain) is to go to the parent servers. If you aren't listed there, you can't be found. But you are listed there. PASS Glue at parent nameservers OK. The parent servers have glue for your nameservers. That means they send out the IP address of your nameservers, as well as their host names. PASS DNS servers have A records OK. All your DNS servers either have A records at the zone parent servers, or do not need them (if the DNS servers are on other TLDs). A records are required for your hostnames to ensure that other DNS servers can reach your DNS servers. Note that there will be problems if your DNS servers do not have these same A records. NS INFO NS records at your nameservers Your NS records at your nameservers are:NS49.WORLDNIC.com.NS50.WORLDNIC.com. PASS Open DNS servers OK. Your DNS servers do not announce that they are open DNS servers. Although there is a slight chance that they really are open DNS servers, this is very unlikely. Open DNS servers increase the chances that of cache poisoning, can degrade performance of your DNS, and can cause your DNS servers to be used in an attack (so it is good that your DNS servers do not appear to be open DNS servers). PASS Mismatched glue OK. The DNS report did not detect any discrepancies between the glue provided by the parent servers and that provided by your authoritative DNS servers. PASS No NS A records at nameservers OK. Your nameservers do include corresponding A records when asked for your NS records. This ensures that your DNS servers know the A records corresponding to all your NS records. PASS All nameservers report identical NS records OK. The NS records at all your nameservers are identical. PASS All nameservers respond OK. All of your nameservers listed at the parent nameservers responded. PASS Nameserver name validity OK. All of the NS records that your nameservers report seem valid (no IPs or partial domain names). PASS Number of nameservers OK. You have 2 nameservers. You must have at least 2 nameservers (RFC2182 section 5 recommends at least 3 nameservers), and preferably no more than 7. PASS Lame nameservers OK. All the nameservers listed at the parent servers answer authoritatively for your domain. PASS Missing (stealth) nameservers OK. All 2 of your nameservers (as reported by your nameservers) are also listed at the parent servers. PASS Missing nameservers 2 OK. All of the nameservers listed at the parent nameservers are also listed as NS records at your nameservers. PASS No CNAMEs for domain OK. There are no CNAMEs for hermhughes.com. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present. PASS No NSs with CNAMEs OK. There are no CNAMEs for your NS records. RFC1912 2.4 and RFC2181 10.3 state that there should be no CNAMEs if an NS (or any other) record is present. PASS Nameservers on separate class C's OK. You have nameservers on different Class C (technically, /24) IP ranges. You must have nameservers at geographically and topologically dispersed locations. RFC2182 3.1 goes into more detail about secondary nameserver location. PASS All NS IPs public OK. All of your NS records appear to use public IPs. If there were any private IPs, they would not be reachable, causing DNS delays. PASS TCP Allowed OK. All your DNS servers allow TCP connections. Although rarely used, TCP connections are occasionally used instead of UDP connections. When firewalls block the TCP DNS connections, it can cause hard-to-diagnose problems. WARN Single Point of Failure WARNING: Although you have at least 2 NS records, they may both point to the same server (one of our two tests shows them being the same, the other does not), which would result in a single point of failure. You are required to have at least 2 nameservers per RFC 1035 section 2.2. INFO Nameservers versions [For security reasons, this test is limited to members] PASS Stealth NS record leakage Your DNS servers do not leak any stealth NS records (if any) in non-NS requests. SOA INFO SOA record Your SOA record [TTL=7200] is:Primary nameserver: NS49.WORLDNIC.com.Hostmaster E-mail address: namehost.WORLDNIC.com.Serial #: 2007091800Refresh: 10800Retry: 3600Expire: 604800Default TTL: 7200 PASS NS agreement on SOA serial # OK. All your nameservers agree that your SOA serial number is 2007091800. That means that all your nameservers are using the same data (unless you have different sets of data with the same serial number, which would be very bad)! Note that the DNSreport only checks the NS records listed at the parent servers (not any stealth servers). PASS SOA MNAME Check OK. Your SOA (Start of Authority) record states that your master (primary) name server is: NS49.WORLDNIC.com.. That server is listed at the parent servers, which is correct. PASS SOA RNAME Check OK. Your SOA (Start of Authority) record states that your DNS contact E-mail address is: namehost@WORLDNIC.com. (techie note: we have changed the initial '.' to an '@' for display purposes). PASS SOA Serial Number OK. Your SOA serial number is: 2007091800. This appears to be in the recommended format of YYYYMMDDnn, where 'nn' is the revision. So this indicates that your DNS was last updated on 18 Sep 2007 (and was revision #0). This number must be incremented every time you make a DNS change. PASS SOA REFRESH value OK. Your SOA REFRESH interval is : 10800 seconds. This seems normal (about 3600-7200 seconds is good if not using DNS NOTIFY; RFC1912 2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12 hours)). This value determines how often secondary/slave nameservers check with the master for updates. PASS SOA RETRY value OK. Your SOA RETRY interval is : 3600 seconds. This seems normal (about 120-7200 seconds is good). The retry value is the amount of time your secondary/slave nameservers will wait to contact the master nameserver again if the last attempt failed. PASS SOA EXPIRE value OK. Your SOA EXPIRE time: 604800 seconds. This seems normal (about 1209600 to 2419200 seconds (2-4 weeks) is good). RFC1912 suggests 2-4 weeks. This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver. PASS SOA MINIMUM TTL value OK. Your SOA MINIMUM TTL is: 7200 seconds. This seems normal (about 3,600 to 86400 seconds or 1-24 hours is good). RFC2308 suggests a value of 1-3 hours. This value used to determine the default (technically, minimum) TTL (time-to-live) for DNS entries, but now is used for negative caching. MX INFO MX Record Your 1 MX record is:10 MAIL.xxx.com. [TTL=7200] IP=76.164.xxx.xxx [TTL=7200] [US] PASS Low port test OK. Our local DNS server that uses a low port number can get your MX record. Some DNS servers are behind firewalls that block low port numbers. This does not guarantee that your DNS server does not block low ports (this specific lookup must be cached), but is a good indication that it does not. PASS Invalid characters OK. All of your MX records appear to use valid hostnames, without any invalid characters. PASS All MX IPs public OK. All of your MX records appear to use public IPs. If there were any private IPs, they would not be reachable, causing slight mail delays, extra resource usage, and possibly bounced mail. PASS MX records are not CNAMEs OK. Looking up your MX record did not just return a CNAME. If an MX record query returns a CNAME, extra processing is required, and some mail servers may not be able to handle it. PASS MX A lookups have no CNAMEs OK. There appear to be no CNAMEs returned for A records lookups from your MX records (CNAMEs are prohibited in MX records, according to RFC974, RFC1034 3.6.2, RFC1912 2.4, and RFC2181 10.3). PASS MX is host name, not IP OK. All of your MX records are host names (as opposed to IP addresses, which are not allowed in MX records). INFO Multiple MX records NOTE: You only have 1 MX record. If your primary mail server is down or unreachable, there is a chance that mail may have troubles reaching you. In the past, mailservers would usually re-try E-mail for up to 48 hours. But many now only re-try for a couple of hours. If your primary mailserver is very reliable (or can be fixed quickly if it goes down), having just one mailserver may be acceptable. PASS Differing MX-A records OK. I did not detect differing IPs for your MX records (this would happen if your DNS servers return different IPs than the DNS servers that are authoritative for the hostname in your MX records). PASS Duplicate MX records OK. You do not have any duplicate MX records (pointing to the same IP). Although technically valid, duplicate MX records can cause a lot of confusion, and waste resources. FAIL Reverse DNS entries for MX records ERROR: The IP of one or more of your mail server(s) have no reverse DNS (PTR) entries/* (if you see "Timeout" below, it may mean that your DNS servers did not respond fast enough)*/. RFC1912 2.1 says you should have a reverse DNS for all your mail servers. It is strongly urged that you have them, as many mailservers will not accept mail from mailservers with no reverse DNS entry. You can double-check using the 'Reverse DNS Lookup' tool at the DNSstuff site if you recently changed your reverse DNS entry (it contacts your servers in real time; the reverse DNS lookups in the DNS report use our local caching DNS server). The problem MX records are:xxx.xxx.xxx.76.in-addr.arpa [No reverse DNS entry (rcode: 3 ancount: 0) (check it)] Mail FAIL Connect to mail servers ERROR: I could not complete a connection to any of your mailservers!MAIL.hermhughes.com: The mailserver terminated the connection before the transaction was complete (state 4). This is not RFC compliant, and therefore either due to an error, or it may be the result of a non-RFC-compliant mailserver or non-RFC-compliant anti-spam program.<br />If this is a timeout problem, note that the DNSreport only waits about 40 seconds for responses, so your mail *may* work fine in this case but you will need to use testing tools specifically designed for such situations to be certain. WWW INFO WWW Record Your www.xxx.com A record is:www.xxx.com. A 76.164.xxx.xxx [TTL=7200] [US] PASS All WWW IPs public OK. All of your WWW IPs appear to be public IPs. If there were any private IPs, they would not be reachable, causing problems reaching your web site. PASS CNAME Lookup OK. Some domains have a CNAME record for their WWW server that requires an extra DNS lookup, which slightly delays the initial access to the website and use extra bandwidth. There are no CNAMEs for www.hermhughes.com, which is good. INFO Domain A Lookup Your xxx.com A record is:xxx.com. A 76.164.xxx.xxx [TTL=7200]

Hi Jake, If you have no reverse DNS then you will experience issues whenever a mail server tries to validate your mail server by performing a reverse dns lookup. Normally you can talk to your internet ISP that provides you the static IP and ask them to create you a reverse dns entry. You will need to tell them the FQDN host name of your mail server which would be something like mail.domainname.com You can then also go in the Exchange Management Console, Organisation, Hub Transport, Send Connector and set your mail server hostname in there. When the Exchange 2007 server will then send email to another mail server on the internet it will say that it is the server mail.domainname.com. The other mailserver will then take the IP address that it is communicating with (the only thing it knows for sure) and performs a reverse DNS entry with who ever controls the IP address.If the hostname returned by the query matched the one that the mail server is saying that it is the mail is let through. Hope that helps, Cheers, Rhys

Well thank you that definately helped out a lot now our problem is lying in our old web hosting they have the name server as the wrong one so that is definately one of the reasons it is not working. It is changed on their site but they said it could take up to 72 hours for it to change over the internet. What a bummer everything looks good internal is working our mx records are correct we called our ISP and set the reverse up and now its just a waiting game. Thanks for the help, Jake

We still have problems =( our NS records are changed and correct now but when I do a DNS lookup it says it times out and that it cant see our MX records or Host A records! I looked at the ports open in the firewall it seems all these are opened. This has become very frustrating! We still can receive e-mail locally but not through the internet. We added the website as an accepted domain in exchange management console. Been searching forever on how to get this resolved. What ports exactly does the exchange server use for mail? SMTP, POP3, and anything else? Our problem could be within our firewall stopping traffic or our DNS entry's for our reverse and forward lookups. Double checking everything it looked fine. PLEASE HELP! Thanks, Jake

Hi Jake, If you are getting time outs on your DNS lookup then the DNS server will be at fault. Does DNSstuff.com report show you this? Th email server will only require that port 25 is open through the firewall to the Exchange server. The DNS lookups are performed using port 53 but this is normally hosted by an external DNS provider and the firewall is not involved. You can tell if you Exchange server is configured to accept mail from the internet by using a host on the internet and connecting to your external FQDN of the mail server using 'Telnet Exchangeserver.domain.com 25' Cheers, Rhys

Hi! I've recently installed an environment test with Exchange 2010 SP1 and its already sending mail to internet addresses. I can telnet my IP address on port 25, its a static ip address and DNS is configured OK for MX server. When I send email to my new domain, I receive that message: #< #5.7.1 SMTP; 530 5.7.1 Client was not authenticated> #SMTP# I already checked the mailbox properties | Mail Flow Settings | Message Delivery Restrictions | Properties | Require That All Senders Are Authenticated and it's unchecked. Can someone help-me? Thankyou in advance.Fabio Martins MCDST/MCSA

You need to create a reverse DNS entry/record with your ISP.

Hi! In my problem, reverse DNS wasnt the problem. I asked my isp to register my reverse dns and didn't solve my problem. So i continued to study and found an option on the receive connector that i could check and it worked: "Specify who is allowed to connect to this Receive Connector --> Anonymous users" Thankyou!Fabio Martins MCDST/MCSA