reverse DNS issue

Hi all,

Recently, I have this reverse dns issue that the recipient end is rejecting mails from my side. After conversing with the recipient, it was found the ip address of my antispam box is different when their server did a reverse lookup of my box. The ip address they received happened to be my firewall. I did an online reverse lookup of the ip address my recipient received and it reported the correct server hostname.

Before you can advise me what I can do, I probably need to tell all my current setup. I have a firewall facing the external world. Sitting behind the wall is my antispam appliance . My incoming/outgoing mails are routed through the antispam box.

I am total noob about this and seek anyone's advice what I can do.

Appreciated.

 

This is correct. The IP address would be the Red [Internet] port of your firewall.

This is also correct, as you are querying your local DNS server which is not accessible from the net and for safety sake should not be accessible. You can query it as you are on the Green [LAN] side. If you want to grant access to some machine on your network, you forward the relevant port to that machine in your firewall.

This itself should not result in getting your mail rejected from the recipient side. Are your other mails going through or are you facing problem everywhere ?

 

Hi all,

@rsinfo, I agreed with TonyT. Currently, this is the situation. All my mails to this particular recipient cannot be delivered because of this. Their server did a rDNS on the incoming IP and reject the mails because they do not match. What sort of settings can I do configure on my firewall, to ensure what IP address my recipients received matches with my antispam box?


Thanks for advice.

 

Yes TonyT,

We manage our DNS. That means we have external DNS server for our web , ftp and mail servers. We also have internal DNS for AD authentication and GPO. For external DNS, we use a UNIX OS to manage it and internal, W2k3 -R2.

When you mention port forwarding, does it mean when external parties doing rDNS, it would query the firewall. At this point, my FW would port-forward service 53 to external DNS which returns the FQDN of my antispam box?

Please correct if I am wrong.

Tks for the reply

 

DNS is simply a way of matching IP addresses to human readable names. DNS has nothing to do with the passage of traffic. Basically network equipment always wants to work with IP addresses, but us human's want to work with readable names such as windowsbbs.com. So when we send a request to windowsbbs.com our network hardware goes "Hey DNS, I don't understand this name, can you give me an IP address I do understand? ". And the DNS server replies with an IP address. From that point on, the DNS server play no further part in the process. From then on its IP all the way.

Reverse DNS does the opposite. It takes an IP address and asks DNS for the human readable name that matches it. With e-mail, this usually happens to check that the e-mail came from the mail server it should have done.

So if someone is getting this problem reverse DNS resolving the IP address associated with your e-mails, then it looks like you have a MX record issue. If you are using NAT on your router, the e-mails should appear to come from your Firewall's external port. So you have two ways of dealing with this:

If you are managing your MX record and all incoming e-mails come directly to your servers, set the IP address as your router's external address.

or

If your ISP is managing you MX record and all incoming go to their e-mail servers, and then get forwarded to your mail server, either talk to your ISP for advise as to whether they can deal with this problem - or more simply, set up your mail server to forward all outgoing e-mail server and relay through that.

 

Thanks Reggie for the reply.

Since we'd managed our domain, it means we managed the DNS. Currently, we have a MX record for our domain. The IP is pointing to our antispam server if one were to do rDNS. The issue here our recipients reject our mails because they claimed the incoming IP of our mails is different when their server did a rDNS. I am not too sure how it should be configured on my end. As mentioned, my antispam is sitting behind the FW, which is facing the world.

Rsinfo provided an insight on how the mails are routed, which he said is correct: when the recipients received mails from my side, it received mails from my FW. But when their server does a rDNS, it points to my antispam. So, I am not too sure how to configure the FW/antispam so that when their server does a rDNS, it should resolve to my antispam.

Thanks

 

Point your MX record to your firewall IP & NOT to your spam gateway. Then forward the POP3/IMAP ports to your mail server. This is the correct way to do it.

But if your current MX record points to your spam gateway, how is the mail working at all ?

 

Hi Rsinfo,

At the moment, my mails are going through the antispam and then to FW without much porblems. I am not too sure how the route works but do tell how it should have been done ( configure on the FW and the antispam).

Thanks

 

I believe that your anti spam gateway is behind the firewall. Then it must have been assigned a private IP which is non routable. If the mails are still going thru & your MX record is pointed to your anti spam gateway, then there is something horribly wrong somewhere.

I need to have the IPs of your firewall & anti spam gateway as well as the IP series you are using in LAN.

 

Hi rsinfo,

You are right that my antispam is sitting behind the FW. Both my antispam and FW have internal and external IP addresses. I am able to do rDNS using free DNS check tools from any webpages on my antispam as well as FW. The result is the external IP address which can be ping-ed.

 

There's your problem.

Your firewall is configured to forward the public antispam IP to the private IP [192.168.xxx.xxx] of your antispam box. So whenever you send the mail, the IP of your FW is seen as the sending IP & not your anti spam box.

 

Gee...did not realise it cannot be done this way. OK, more info about our company LAN. All the internet access would have to go through a modem provided by the ISP. My FW is sitting behind this modem. In turn, all devices, workstations and servers are connected to the FW before they can browse the internet. My mail server is configured with a smarthost feature that routes all incoming/outgoing mails through the antispam which in turn route to the FW , and then modem , to the external world. In this case, how would I position my antispam machine to be? For the IP configuration of the antispam machine, does it mean the gateway portion has to point to the modem instead of the FW? Would there be any impact on the DNS server we are hosting for external world to resolve?

Thank you so much for the patience, rsinfo.

 

Correct. Seems you have 2 different public IPs - one for your mail server & another for your internet access.

Please confirm if you have this scenario or not.

I am still not very clear about your LAN setup. But we would work on that .

 

Thanks for your assistance rsinfo.

I will give the lowdown of my company LAN setup:

I have a couple of public IP addresses 203.120.x.x subnet. They are assigned to each devices, namely FW, antispam , modem , external DNS server etc.

I have private IP addresses 192.168.x.x subnet for my internal use, . They are assigned to antispam, FW, mail server, AD server ( also act as DHCP/DNS server ) and workstations. The servers do not have public IP addresses.

All workstations are able to browse the internet and check their mails ( I am using Exchange server ) and file sharing with the server.

The mail server is configured with a smarthost feature whereby all incoming/outgoing mails are routed through the antispam appliance. For outgoing mails from my users, the mails will be routed via the mail to antispam. It further routed to the FW and in turn modem before it reaches the internet world. For incoming , it is the other way around.

We managed our external DNS server. Hence, we have records of MX , PTR for my domain. Currently, the MX record is pointing to my antispam box. We also have a PTR record for it.

Problem at the moment :-
We are not able to send mails to external parties. Further checking with one party, the IT guy told me the IP address of the incoming mail is different when their mail server did a rDNS on the FQDN of our domain. Weird was that I was able to get the expected result when I used online tools ( I used www.mxtoolbox.com ) to do a check on my domain and also a reverse.

I hope the information provided is sufficient enough. Do let me know which area you are unclear and I improve on it.

Thanks again rsinfo.

 

Could you please give the IP addresses assigned to each of those? Every thing connected to internet/LAN has to have a unique IP address.

Why are you running external DNS server ? Are you an ISP ?

Is your modem configured in NAT mode or passthru mode ?

 

Hi rsinfo,

I have sent you a private message.

Tks

 

I gotta ask. Why are you sending mail through the anti spam? Do you have spammers in your organization?