Send/receive email problem to comcast.net users.

Hi All...

First time posting in one of these so be kind...

I've been running a Windows 2003 / Exchange 2003 server for a while now with the domain name, sjovan.com. And for a long time it's been running without problem.

At some point, however (within a month or so), I lost the ability to send/receive email to/from comcast.net users (ie user@comcast.net).

I've used dnsreport.com to help generate clues about possible problems with DNS etc... Tried many things (including adding an SPF record) without success.

Here is the return message I get:

Your message did not reach some or all of the intended recipients.

Subject: RE: ERROR MESSAGE
Sent: 12/7/2004 2:27 PM

The following recipient(s) could not be reached:

user@comcast.net on 12/9/2004 2:40 PM
The e-mail system was unable to deliver the message, but did not report a specific reason. Check the address and try again. If it still fails, contact your system administrator.
<sjovan.com #4.0.0 smtp;450 [TEMPFAIL] comcast.net requires valid sender domain>

And this is returned to the comcast user when trying to email sjovan.com:

From: postmaster@comcast.net (Webmail Postmaster)
To: user@comcast.net
Subject: Returned mail: User unknown
Date: Fri, 19 Nov 2004 02:21:53 +0000

The following addresses had fatal errors:
user_at_sjovan.com: 450 [TEMPFAIL] destination not valid within DNS

And here is a telnet session with one of comcast's mail servers:

> telnet gateway-r.comcast.net
220 rwcrmxc17.comcast.net - Maillennium ESMTP/MULTIBOX rwcrmxc17 #477

ehlo sjovan.com
250-rwcrmxc17.comcast.net
250-7BIT
250-8BITMIME
250-DSN
250-EXPN
250-HELP
250-NOOP
250-PIPELINING
250-SIZE 10485760
250-VERS V04.80c++
250 XMUP 2

mail from: <user_at_sjovan.com>
250 ok

rcpt to: <user@comcast.net>
450 [TEMPFAIL] comcast.net requires valid sender domain

I'm guessing that comcast is doing something to check that sjovan.com is a valid domain, but I don't know how to pass their test...

I'm really at my wits end here ...
If anyone has any idea what I can do to get comcast to like me again (Man! that's pothetic... haha!), please let me know.

Thanx for any help I can get...

Probably not of any help, but that is usually because of a failed Reverse DNS test I believe.

I just checked your reverse DNS, and it seems fine, so it's odd that it's failing.

Mike

My gut sez that you processed enough mail thru Comcast to get noticed and got banned...but I could be wrong.

Did you set the MX record to pipe all your mail thru your COMCAST acct?
If so you probably are getting a DOMAIN not found because they aren't letting you use them to process your mail anymore.

Try this...
Goto noip.com
Get a free acct
Set up a domain, ie whatever.servebeer.com
set the MX record to your domain
Check your DNS entry and update IT to your noip acct

NOW, send a test mail.

IF IT WORKS...then you know that Comcast is the cuprit.

OR, just check your DNS settings.

I probably should have mentioned this in the original post...
I have a static IP address (216.99.216.97) and my domain is registered at godaddy. My ISP is aracnet.com and they've been very helpful (ie, they setup my PTR record). So I don't think I'm doing anything "under the table" here.

I don't have comcast, I have a DSL account (Verizon DSL).
Right now the server is behind a D-Link router/firewall and configured as the DMZ. I've taken the router out of the picture already as a test, without any luck.

So far I haven't seen any evedence that there is any problem with the DNS setup, although if anyone can show me otherwise, that's why I'm here, and I'm all ears

I've spent many hours surfing the internet for information on DNS, including looking through the appropriate RFC's and even writing a quick dns check program to test the DNS server on different ports (other than 53).

And as I wrote in my original post, I've used dnsreport.com (as well as others) to checkout my configuration. As far as I can tell, I'm setup correctly.

dba_frog, did you see anything in my setup that lead you to believe that DNS (MX specifically) was not resolving correctly?
dnsreport.com shows that its ok:

INFO MX Record Your 1 MX record is:
10 sjovan.com. [TTL=3600] IP=216.99.216.97 [TTL=3600] [US]

Also dba_frog, I'm curious about your comment that I may have been banned. From the telnet session I posted originally, you can see that I'm able to make connection and initiate the email exchange, but then the comcast mail server declares sjovan.com an invalid domain after sending the "rcpt to:" command.

Please let me know if I'm misunderstanding your comments.

Thanx,
Cary

Have you tried contacting Comcast?

I've looked over your setup, and it seems near on perfect. I havn't even organised with my ISP to change their PTR record to my domain name instead of their original record (still shows up as the connections name, not my domain), and I can connect to Comcast fine.

I don't think the problem is at your end, I think that you have been banned - it really depends on how they secure their mail server (Reverse DNS, SPF...)

You should definitely get in contact with them.

Mike

Yes, I've sent them 4 emails and called them once... The phone call was a waste of time. Two of the emails I actually received replies to. Of the 2 replies one of them was completeley irrelevant to my intial query. (I'm sure the receiver pulled the answer out of a troubleshooting tree without really understanding my question). And the other reply was on topic, but a pretty useless response:

Dear Cary,

I have checked the account and do not see any problems with it. The
error message indicates that your email address was rejected. It does
not recognize sjovan.com

If there is anything else we can assist you with, please contact us.
Thank you for choosing Comcast.

Haha.... Ok, I admit it, the above rant was only for my benefit. But the "vent" sure was nice!

From the jist of this thread I'm getting the idea that maybe Comcast is blocking my domain. I'll keep trying to contact them and resolve it that way.

But if there are any more suggestions in the mean time, I'll be monitoring this thread, so please don't hesitate to fire away.

Thanx for the responses so far...
Cary

OK, Let's back up a momemt...I mis-read your problem.
Forget the prior post...You already have your server setup, YOUR error is in sending mail to @comcast.net receipiants.

The good news...You aren't banned or known in Spamhaus.org, or Sorbs.net

But, I can't get a DNS return on your IP { 216.99.216.97 }
I get a reverse listing tho'.

Try www.dollardns.net, choose the DNS crawler on the left side of the page and input you IP to verify my findings.
It returns NO RECORD for a DNS entry. This maybe why COMCAST is booting your emails...No Record entries usually denote a SPAMMER.

Are you running BIND? or using a service? ...

OK! This may be something new to me and was just the sort of thing I was hoping to find.

So now I just want to make sure I understand what you are saying...
I'm not aware of a "dns entry" record (or at least not by that name). I now I have NS, A, MX, SOA, SPF, etc setup on my physical server. And I had a PTR record setup on the ISP side.

So when I go to dollardns, I enter my IP address in the "Name:" field and leave the defaults in the other fields and I press the "Reverse IP" button. Like you say, I can see the PTR record that my ISP set up for me but I don't see anything else that relates to sjovan.com.

Now, if I enter my domain name in the "Name:" field (instead of the IP) and hit the "Send Query" button, the query gets out to my physical server and I can see all of the records that are stored there.

Are you saying that comcast wants to see all the the records on my server (A, MX, SOA, NS, etc) by doing a lookup on my IP address?

by the way I'm running Exchange 2003 on Windows Server 2003 OS.

NO...
Go back to dollardns.net, input fedoradocs.com into the NAME field and press the send query button. THAT is a DNS record.
YOU should have the same look if you input SJOVAN.COM into the NAME field.

Your ISP was nice enough to set up a reverse DNS entry for you on their server, but you don't seem to have a regular DNS entry.

Resolution:: Run BIND on your system, create a DNS entry for your Domain. (see the DNS thread for tutorial)
**Note: it will take 24-72 hrs from the time you go live with your DNS entry in BIND for it to propagate across the 'Net.

Conjecture:: The reason that COMCAST is turfing your emails is because they started checking for an SPF record to help reduce spam. You were fine with the rev. DNS listing until that point.
GOOD NEWS:: once you set up BIND you should be GTG and not have any similar problems moving forward.

dba_frog - I think he has done something to his nameservers. I had previously seen his domain at dnsreport.com and everything seemed fine. Now it's an absolute mess - which accounts for why the DNS Crawler isn't reporting the A record for his domain.

What did you do indigokid? Revert back to what you had originally!

Mike

Have no fear... That was just me doing work in progress.
I was in the process of setting up the ISC BIND service.

I hope that I'm correct in assuming the "ISC BIND" service should replace both the "DNS Server" and "DNS Client" services. I went ahead and disabled those two services and set the new one to Automatically startup. Once I'm confident this fixes my problem I'll probably just uninstall the DNS server feature altogether.

The transition was fairly straight forward and seems to be running stable now. Although, I am seeing random internet disconnects now and then (I'm hoping that this is coincedence).

So I'll start the clock running, cross my fingers and wait for the new DNS settings to propagate.

My problem is resolved and I wanted to post the final response so that anyone else monitoring this thread might benefit.

After installing BIND (as dba_frog recommended) my problem still persisted.

But with a little reading I was able to configure the logging output (Which I think is much better, and more configurable then Windows DNS Server) such that I could see that comcast.net is the only email server that is sending DNS queries on port 53. There may be others, I just haven't run into them. It turns out that my firwewall had an internal DNS mode that was conflicting with all port 53 traffic coming from the internet.

So.... when a server makes DNS queries originating from a port other then 53, everything was good. That's why It took me a while to admit I had a DNS problem. But since comcast is the only server (that I noticed in my logs anyway) performing dns validation originating from port 53, that was why it I was ok with all other email servers.

I'm sure that the Windows DNS Server would also work here, but now that it works, why mess with it.

Thank you dba_frog and betaaus for helping me get through this. As usual, my problem was caused by actions that were my own. But talking it through and trying new things is what lead me to the solution.

-Indigo

Your Welcome...
Admitting you have LINUX is the first Step...

Glad we could help. I'll file that Comcast Port 53 issue...Because THAT is a wierd one...