When you use the SMTP Diag tool from our site you see that the banner you are displaying publicly is masked by asterisks:

Trying 1.2.3.4...
Connected to smtp.example.com.
220 *********************************************

The reverse check takes the banner and the PTR record for the IP and sees if the domain is listed. Since all we get publicly is the asterisks, the comparison fails and you get the warning.

Many administrators choose to mask their banner in hopes that by not giving an attacker a domain name, they might avoid something like a directory harvest attack. My personal opinion is that if you are using a single IP for inbound and outbound, then you are going to need put your domain in your PTR records for your outbound, then you might as well put it in your banner. However, this is personal preference and nobody should deny sending or receiving mail from your server just because you aren't throwing your domain in the banner.

If you are not sure where to access your SMTP banner in your mail server, read below for some helpful hints. We do not advise making ANY changes to your mail server if you are not the system administrator or confident in making these changes.

Configure SMTP banner Exchange 2003

1. Open Exchange system manager.
2. Expand your administrative group (”First administrative group” by default).
3. Expand Servers.
4. Expand "YourServersName".
5. Expand Protocals container.
6. Select SMTP container.
7. On the right window, right click the Default SMTP virtual Server (Or the name you set your SMTP Server) and select Properties.
8. Select the Delivery Tab.
9. Click the Advanced button.
10. Under the Fully Qualified Domain Name (FQDN) type mail.yourdomain.com (The A/Host record you created in DNS for your mail server)
11. Click Apply and OK again to accept the changes

Configure SMTP banner Exchange 2007/2010

1. Open the Exchange management console.
2. Select the Organisation Configuration container.
3. Select Hub Transport container.
4. On the right select the Send Connectors tab.
5. Right click your send connector and select properties.
6. On the General tab under the Set the Fully Qualified Domain Name (FQDN) this connector will… type the A record domain name you created. Which in our case is mail.yourdomain.com. Click OK.
7. Under the Server Configuration container click the Hub Transport container.
8. In the Right window Select the properties of the Receive Connector under Receive Connectors tab.
9. On the General tab under the Set the Fully Qualified Domain Name (FQDN) this connector will… type the A record domain name you created. Which in our case is mail.yourdomain.com. Click OK.

To verify these changes we would recommend using our SMTP Diagnostic Tool again.

Let us know if you have any other questions or concerns.

Thank you,
Wendy

_________________
Wendy Young
Tier 2 Support Analyst
wendy@mxtoolbox.com

Follow us on Twitter at @MxToolBox, Facebook and read the MxToolBox Blog.

Wendy,

Thanks for following up with me on this.

I think I have found the discrepancy, but I'm not sure if I should try to fix it. The A/Host record created in DNS for my mail server is xxx.xx--xxx.local and the FQDN in the banner setting is xxx.xx--xxx.com.

Is it safe to change the .local to .com without breaking my system? Or do you even think this is the problem?

Alvin

I landed on this topic due to the following error:
Warning - Reverse DNS does not match SMTP Banner

However, after following the instructions for correcting in the send connector and server configuration I'm still getting the same error.

Is there anything else that needs to be configured?

Thanks

Our Cisco firewall is actually what is masking the 220 banner and our network engineer is unwilling to disable this "feature." Can I instead instruct the smtp supertool command to skip this check? Otherwise I'm always going to see our two MX servers having a warning.

Sorry to hear you are having problems with this setting. These are just the "suggested" settings we have found after dealing with this error quite a bit. You may have to refer to your firewall as well to see if the settings is configured there.

Thanks,
Wendy

_________________
Wendy Young
Tier 2 Support Analyst
wendy@mxtoolbox.com

Follow us on Twitter at @MxToolBox, Facebook and read the MxToolBox Blog.

Adam,

Unfortunately there is not a way to disable this on the SMTP Tool. This is a valuable check as most large ISPs will often deny mail if their is a masked banner. You could potentially not be reaching all of your recipients with a masked banner in place.

Thanks,
Wendy

_________________
Wendy Young
Tier 2 Support Analyst
wendy@mxtoolbox.com

Follow us on Twitter at @MxToolBox, Facebook and read the MxToolBox Blog.

Thanks for your feedback... Armed with this information I was able to convince our NE to change his practices. Looks like we're all green now.

I have a email security system but in my fully-qualifeied domain I have exch.domain.com..should I change to my emailsecurity.domain.com?

I do believe our tool only checks for the primary domain to be present in the banner, sub-domains should not throw the warning. Please send me your IP or hostname if this is not the case and I can look into it

Peter@mxtoolbox.com

_________________
Peter LeBlond
MxToolBox
Product Development Engineer
peter@mxtoolbox.com

[quote="new guest"]I landed on this topic due to the following error:
Warning - Reverse DNS does not match SMTP Banner

However, after following the instructions for correcting in the send connector and server configuration I'm still getting the same error.

Is there anything else that needs to be configured?

Thanks[/quote]

Hi. Did you figure this out? I have been seeing the same error all day and can't figure out how to fix it.