LevelBlue Completes Acquisition of Cybereason. Learn More

Government
Contact Us
Login

USM Anywhere Login

Fusion Platform Login

Support Downloads/Forums Login

MailMarshal Cloud Login
Incident Response
Experiencing a security breach?

Get access to immediate incident response assistance.

24 HOUR HOTLINES
AMERICAS +1 855 438 4305

EMEA +44 8081687370

AUSTRALIA +61 1300901211

SINGAPORE +65 68175019

Recommended Actions

Government
Contact Us
Login

login

USM Anywhere Login

Fusion Platform Login

Support Download/Forum Login

MailMarshal Cloud Login
Incident Response
Incident Response
Experiencing a security breach?

Get access to immediate incident response assistance.

24 HOUR HOTLINES
AMERICAS +1 855 438 4305

EMEA +44 8081687370

AUSTRALIA +61 1300901211

SINGAPORE +65 68175019

Recommended Actions

LevelBlue Completes Acquisition of Cybereason. Learn More

Cyber Advisory

Managed Cloud Security

Data Security

Managed Detection & Response

Email Security

Managed Network Infrastructure Security

Exposure Management

Security Operations Platforms

Incident Readiness & Response

SpiderLabs Threat Intelligence

View All Services

BY INDUSTRY

BY REGULATION

BY TOPIC

Offensive Security

Solutions to maximize your security ROI

Operational Technology

End-to-end OT security

Microsoft Security

Unlock the full power of Microsoft Security

Securing the IoT Landscape

Test, monitor and secure network objects

About Us

We reduce cyber risk and fortify organizations

Awards and Accolades

Recognition by analysts and media outlets

LevelBlue SpiderLabs

Global researchers, ethical hackers, and responders

LevelBlue Security Operations Platforms

Unprecedented security visibility and control

Security Colony

Access to cybersecurity threat protection resources

Microsoft Security

Unlock the full power of Microsoft Security

Technology Alliance Partners

Key alliances who align and support our ecosystem of security offerings

BLOGS

UPCOMING

MEDIA & ASSETS

NOTICES

HELP

LevelBlue Knowledge Base

KB Home Search Latest Additions Most Popular

Knowledgebase

Home » Knowledgebase » MailMarshal (SEG) » HOWTO: How do I validate connecting hosts in the DNS?

HOWTO: How do I validate connecting hosts in the DNS?

Show/Hide Article Tools

This article applies to:

MailMarshal (SEG)

Question:

How do I validate connecting hosts in the DNS?

Procedure:

Enabling the check box, 'Validate Connecting Hosts in the DNS' (in the Receiver | Host Validation tab of Array Properties) will set the MailMarshal Receiver service to do a reverse DNS lookup, or Pointer (PTR) record lookup, for all incoming messages.

A PTR record shows the domain names associated with an IP address. So, when the Receiver gets an IP address, it will do a PTR record lookup to see what information is returned. The intention is to check for potential spam messages.

The options in MailMarshal are:

Accept unknown hosts (used for logging purposes only)
The MailMarshal Receiver will do a PTR record lookup and if there is no PTR record, or if the domain name supplied in the message does not match the domain name indicated by the PTR record, then the event will be logged in the MailMarshal Receiver text log.

Note: The message will still be accepted. This option is useful to diagnose a potential spam problem.
Host must have PTR record
The MailMarshal Receiver will block any message where the IP address does not have a valid PTR record. If there is no record, MailMarshal logs this event in the Windows Application Event Log and terminates the connection with the SMTP response: 554 No SMTP service here

Note: The domains do not have to match; the only requirement is that there is a PTR record.
PTR record must match the HELO connection string
The MailMarshal Receiver will block a message where any domains listed in the PTR record do not match that supplied in the HELO string provided by the sending server. If the record does not match, MailMarshal logs this event in the NT Event Log and terminates the connection with the SMTP response: 554 No SMTP service here

Note: This option should be used with caution - it is very likely that you will block valid e-mail from domains that do not have their PTR records set up correctly.

Notes:

These features, which provide varying degree of checks, can only be used where MailMarshal can 'see' the actual IP address of the sending e-mail server. They are of no use for example where MailMarshal sits behind a firewall and only sees the IP address of that firewall.

By using these features it is possible for valid e-mail to be blocked For example some sites do not have their PTR records set up correctly. Therefore, when turning on 'Validate Connecting Hosts', it is recommended to select the first option 'Accept unknown hosts' and monitor results in the Windows Application Event Log. When you are satisfied that valid e-mail is not being blocked, then select one of the other two options.