MXToolbox warnings and Kerio Connect


2014/12/19

I've had email from customers saying that MXToolbox says their Kerio Connect mail server is not configured correctly. It reports that they have no PTR record configured (reverse DNS), that the banner is incorrect and that TLS is not enabled. Sounds pretty bad, doesn't it?

And yet when I check these things manually, there is not problem: everything is as it should be. So what's going on here - is MXToolbox wrong or am I?

To find out, I asked MXToolbox to check my own domain. This is the report I got back.

Mxtoolbox reports are incorrect with Kerio Mailserver

Let's take a look at each of those:

SOA Serial Number Format is Invalid

That's my DNS provider (Cloudflare) and it's an absolutely meaningless message. As MXToolbox itself notes:


It has become common to set your serial number with a date format to make it easier to to manage.

Indeed, that's just what Cloudflare does and it's quite silly to report that as a warning.

SOA Expire Value out of recommended range

According to their docs, MxToolBox will issue this warning if your value is less than 2 weeks or more than 4 weeks. They say those are "suggested values". Well, Cloudflare uses a default of one week - which they say is their "suggested value". It's their DNS servers that will be queried more frequently, so why does that concern MXToolbox? It shouldn't.

Reverse DNS does not match SMTP banner

Really? Actually, it does: my banner says "220 mail.aplawrence.com ESMTP ready" and the reverse DNS is mail.aplawrence.com, so that's correct. They get this wrong for the same reason they get the next two wrong.

Does not support TLS

Sure it does:

220 mail.aplawrence.com ESMTP ready
EHLO aplawrence.com
250-mail.aplawrence.com
250-AUTH CRAM-MD5 PLAIN LOGIN DIGEST-MD5
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250-PIPELINING
250-ETRN
250-DSN
250 HELP
 

EHLO asks that a server list its capabilities and STARTTLS is listed.

15.6662 seconds - Not good!

But actually, that's deliberate - that's the Spam Repellent setting that we do on purpose. MXToolbox even mentions that possibility:


It is also possible your server is "Tar pitting". Tar pitting is a technique used by some email servers to slow down spammers. The idea is that legitimate senders will wait longer to establish a connection than spammers will.

I suspect this is the source of the TLS and reverse banner also: they spit those commands out too early and got disconnected. To find out, I turned on SMTP debugging momentarily and had them try again. As I suspected, I saw this in the log:

[18/Dec/2014 15:03:57][31880] {smtps} Client 64.20.227.133:62071 closed connection 
before SMTP greeting, connection rejected
 

That address is MXToolbox.com. The connection was closed because they tried to enter commands before seeing my banner, which they should not do.

So - if you've wondered why MXToolbox spits warnings at you, this is why.



Got something to add? Send me email.





(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> MXToolbox warnings and Kerio Connect


2 comments



Increase ad revenue 50-250% with Ezoic


More Articles by

Find me on Google+

© Anthony Lawrence







Fri Jan 2 16:28:24 2015: https://www.davegillam.com12597   DaveGillam

gravatar


In my case, all look proper, even with tarpitting delays. MXToolbox may have corrected the probes.

Cheers!
Dave
(link)






Fri Jan 2 21:00:21 2015: 12598   TonyLawrence

gravatar


Odd - they still give me the same "errors".

------------------------
Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us





Don't blame me for the fact that competent programming, as I view it as an intellectual possibility, will be too difficult for "the average programmer" — you must not fall into the trap of rejecting a surgical technique because it is beyond the capabilities of the barber in his shop around the corner. (Edsger W. Dijkstra)

It's a wonderful, wonderful opera, except that it hurts. (Joseph Campbell)








This post tagged: