Dec 07 2009
General, Networking, Security, Server Administration, Technology
A lot of you have web servers that double as mail servers to relay out mail from your ColdFusion applications. Even if you have a separate server that handles your mail relay, this post should still be helpful. The more and more that spam proliferates on the Internet, the more antsy ISPs get about blocking mail. There are a litany of reasons an ISP might reject mail from your server. GoDaddy has been one of the most annoying companies to deal with. There are two things I had to fix on my mail server before they would accept mail from my server. Reverse DNS and Helo host name.I find both of these items a little annoying. Yes, technically both of them are required by RFCs but they don't really tell you whether or not the owner of a server is legit or if the mail coming out of it is spam. All it tells you is that the server admin took the time to configure their server properly. There's absolutely nothing preventing a scum-of-the earth spammer from setting up these configurations on his server so that his mail is accepted.
Reverse DNSYou are certainly aware of how forward DNS works. This is what turns your domain name into the IP address of your server. As the owner of your domain, you are responsible for configuring the name servers for your domain which are the authoritative location for your domain's DNS. A domain name is associated with an IP address via a DNS "A" record. Forward DNS is seen in action from a command prompt like so:
[code] C:\>ping bradwood.com Pinging bradwood.com [220.127.116.11] with 32 bytes of data: [/code]Reverse DNS is the opposite. It is what turns an IP address back into a domain name. In theory it should resolve to a domain name that resolves back to the IP address you started with. To see reverse DNS in action we can use the ping command again with the "-a" option:
[code] C:\>ping -a 18.104.22.168 Pinging bradwood.com [22.214.171.124] with 32 bytes of data: [/code]Reverse DNS is set up by the entity that owns the IP address. This is generally your hosting company or their bandwidth provider. All IP addresses are managed by 5 regional internet registries. ARIN (North America), RIPE (Europe), etc. An ISP purchases the rights to a block of IP addresses from the appropriate registry based on their geographic location. They then assign them out to their customers and optionally delegate whois responsibility. The ISP or entity delegated whois responsibility for the IP address sets up a PTR record in their DNS using a special zone named "in-addr.arpa". The easiest way to demonstrate who owns my IP address is to ask ARIN directly:
[code] Infolink INFOLINK-BLK-101 (NET-69-60-96-0-1) 126.96.36.199 - 188.8.131.52 Serverpronto INMM-69-60-114-0 (NET-69-60-114-0-1) 184.108.40.206 - 220.127.116.11 [/code]To see the PTR record Server Pronto set up for me in action looks like this:
[code] C:\>nslookup -type="PTR" 244.116.60.69.in-addr.arpa Non-authoritative answer: 244.116.60.69.in-addr.arpa name = bradwood.com [/code]So, in short-- you don't have to get hung up on the details (even though I find them incredibly intriguing). When you do a "ping -a xxx.xxx.xxx.xxx" on the IP address that sends your mail, the domain name that is output should resolve back to the IP address you started when you do a "ping you-reverse-DNS-domain.com" command.
Helo Host NameThe second item that needs configured on your sever is the host name that your SMTP server responds with. The host name needs to be a fully qualified domain name which resolves back to the IP address of your server. One way to check this is to simply connect to your mail relay and ask it. In the example below I typed in the "HELO foo" text and hit enter after my server's banner displayed.
[code] C:\>telnet 18.104.22.168 25 220 bradwood.com ESMTP Exim 4.67 Mon, 07 Dec 2009 23:37:04 -0600 HELO foo 250 bradwood.com Hello foo [22.214.171.124] [/code]As you can see, bradwood.com is my server's host name which gets output in the welcome banner, as well as the response to my HELO command. SMTP is apparently a very polite protocol. :) Most SMTP servers allow you to customize the host name they supply without actually changing the computer name. And in case you're wondering-- yes it is technically a bad thing from a server hardening perspective that I am using the default connection banner that announces the fact that I'm using Exim 4.67.