reverse DNS issue

For all the folks, here is ericwi's position:

He has 2 IP public addresses in the range 203.120.x.y as follows:

Firewall - 203.120.x.y
Antispam - 203.120.x.z
MX Record - 203.120.x.z

He is routing the IP address 203.120.x.z [mail server IP] through his firewall [203.120.x.y] to mail server/anti spam box. Now when he sends mail, the email is sent from his firewall IP [203.120.x.y] and gets bounced from some domains as his sending IP is different from MX record IP [203.12.x.z]

 

Scott Smith & TonyT,

Both of you have valid points but his immediate problem is bouncing/rejection of mails by some domain since his MX pointer # sending IP address.

Since I have very limited experience with using 2 public IPs on one device, I would leave it for somebody more experienced & knowledgeable than me to help ericwi out.

But I wonder, who gave him this covulated solution in the first place & why ? Is it because of the volume of mail ?

If his MX record was pointed to his firewall, this would have been a piece of cake, antispam or no antispam.

And ericwi I still don't understand why are you hosting external DNS server in your organisation ? Its a big pain & security risk. Who is looking after it ? Patching it ? Let your ISP do the job for you or start using other DNS services like opendns or even googledns. The MX record can be set at the domain level itself [from the guy you have taken the domain name].

Never ever expose your internal DNS server to internet. This is internal & should remain strictly internal.

 

Simple answer is point the MX at your firewall IP. Route all traffic through that IP.
Unless that second IP is a different pipe to the net there is no advantage to having a second one.

I think I'm going to add a signature line to my profile.
"Don't make it harder than it is"

 

Hi all,

Thanks for the replies. We initially had this assignment to the FW but not too long ago, the FW's IP address was blacklisted and took us some time to resolve it. After the incident, my boss decided to assign the antispam to have the MX record instead of the FW.

Thinking out loud, what would be the implications if I put the antispam side-by-side with the FW instead of behind it? That means mails will be routed through the antispam will directly traversed out into the internet, instead of passing through the FW.

 

Or,

Keep it Simple Stupid

 

Don't.

Everything going in & out should be through firewall. That's your first line of defence. Don't even think about attaching any device directly onto internet without a firewall.

 

Ahhh,
The rest of the story comes out. For an IP to be blacklisted you had to be really bad.

 

ericwi,

You may have more problem than you have imagined. Check your mail server configuration minutely. May be you are using mail server in "open relay" mode. [Very Very Bad].

 

Hmm....I am using Exchange 2007 sp2 on a CCR configuration. I am not too sure how to check for open relay.

I have disabled port 25 on my FW on outgoing if it helps.

 

Check these:

http://support.microsoft.com/kb/324958 and
http://support.microsoft.com/kb/895853