Command Center

I was reminded of this issue recently as part of my ISP switch over in the last month.

For the last four years, we had been using a T1 service with speakeasy.net to support our mail and Web traffic inbound. I figured that it was worth the extra six-hundred dollars a month to get the level of service required to support our mail and Web presence. At the same time, I had been running a Verizon FiOS 15/2 connection to support outbound Internet access and VPN connections.

However, over the three years that we ran the FiOS and T1 concurrently, we found that the fiberoptic link was in fact more reliable than the T1. In fact, it seemed like the T1 would know when I was leaving town, especially when I was going to Las Vegas to have a little work and a little fun, because it would invariably go down during those trips, which lead to 1 to 4 days of hell trying to get things up and running again.

Anyhow, a couple of weeks ago we switched off the T1 and now run exclusively on the FiOS link. We got their business plan, which included 5 static addresses, so I assigned one to the outbound ISA Firewall, and two each for the inbound ISA firewalls (I have two inbound ISA firewalls for redundancy). All was working well. Another nice benefit of moving over to only the FiOS with the business plan is that we would be saving almost 450/mo on the cost.

However, Debi noticed that AT&T’s network wasn’t accepting email from our mail servers. It didn’t matter what the FROM domain was on the messages, the message’s were not delivered to them. I first tested by sending email to my Hotmail, Gmail and Yahoomail accounts, and the messages showed up in the inbox, which I thought was pretty good — I figured that at least one of those provided would “bin” my messages.

What did I need to do? I needed to do one of two things:

* Find out if Verizon had a smart host that I could use
* Find out if Verizon would create a reverse lookup record for my outbound mail server

I called Verizon’s tech support (who are very knowledgeable and helpful) and they said that they didn’t have a smart host that I could use. However, if I wanted to try, I could use the authenticated SMTP server they provide for users’ email applications, and then configure the Exchange Server to send credentials to that machine to use it for outbound relay. The problem, they told me is if you sent too many messages too quickly, the account might be tagged as a spammer and shut down the server. For that reason, they didn’t recommend that I use my personal SMTP account as a smart host.

So, we went with the rDNS record. It was very easy to get this setup. They just wanted to know the IP address that would be the source IP address for outbound SMTP connections and the name my machine sends in the HELO (or EHLO). I use a masquerade name so that the actual machine name isn’t set, but that’s OK because Internet SMTP servers don’t care what the actual machine name is. Within 24 hours the rDNS was in place on Verizon’s DNS servers and outbound mail started working.

Oh, one more thing I had to do. Some spam whackers will use SPF to control spam. It makes sense to use SPF instead of rDNS on MX records, because MX records are designed for inbound mail not outbound mail. SPF is designed to give relevant information on outbound mail. So I also updated my SPF records to support the new configuration.

That’s it. Everything worked and all ISPs are accepting out mail again. Changing ISPs isn’t always fun and it’s never easy, but once everything is in place, everything will work like clockwork again.

Reference: http://blogs.isaserver.org/shinder/2008/06/16/remember-your-reverse-lookup-zone-records-when-changing-isps/