Our company was constantly getting on SPAM lists, so it was decided that we would attempt to change the IP that mail would be routed through from 99.99.99.34 to.40. Everything seemed to go smoothly for the past couple of days until we started getting bounce backs from AOL and Comcast email addresses:
Your message did not reach some or all of the intended recipients.
The following recipient(s) could not be reached:
Home (outsideuser@comcast.net) on today
There was a SMTP communication problem with the recipient's email server. Please contact your system administrator.
<mail.company.com #5.5.0 smtp;521-EHLO/HELO from sender 99.99.99.34 does not map to mail.company.com in DNS>
We ran DNSstuff Reports on our domain and recieved the following error:
Missing (stealth) nameservers
FAIL: You have one or more missing (stealth) nameservers. The following nameserver(s) are listed (at your nameservers) as nameservers for your domain, but are not listed at the parent nameservers (therefore, they may or may not get used, depending on whether your DNS servers return them in the authority section for other requests, per RFC2181 5.4.1). You need to make sure that these stealth nameservers are working; if they are not responding, you may have serious problems! The DNS Report will not query these servers, so you need to be very careful that they are working properly.
server_R30.company.com
Server_K8.company.com
This is listed as an ERROR because there are some cases where nasty problems can occur (if the TTLs vary from the NS records at the root servers and the NS records point to your own domain, for example).
I verified all the settings in our DNS Servers and none of them point to 99.99.99.34:
Server_K8 Forward Zones
Name Type Data
Server_k30 Host (A) 10.0.4.4
Server_k8 Host (A) 10.0.4.5
(same as parent folder) Name Server (NS) Server_k30.company.com.
(same as parent folder) Name Server (NS) Server_k8.company.com.
(same as parent folder) Name Server (NS) ns1.company.com.
(same as parent folder) Name Server (NS) ns2.company.com.
(same as parent folder) Mail Exchanger (MX) [10] mail.company.com.
Server_K8 Reverse Zones
Name Type Data
99.99.99.20-110.50 Pointer (PTR)
ftp.company.com.
(same as parent folder) Name Server (NS) Server_k30.company.com.
(same as parent folder) Name Server (NS) Server_k8.company.com.
99.99.99.20-110.48 Pointer (PTR) ns1.company.com.
99.99.99.20-110.49 Pointer (PTR) ns1.company.com.
99.99.99.20-110.43 Pointer (PTR) Server_R31.company.com.
99.99.99.20-110.40 Pointer (PTR) exchange.company.com.
Server_R3 Forward Zones
Name Type Data
(same as parent folder) Host (A) 10.1.1.21
(same as parent folder) Name Server (NS) Server_R21.company.com.
(same as parent folder) Name Server (NS) Server_R3.company.com.
SERVER_K6 Alias (CNAME) Server_k8.company.com.
SERVER_K8 Host (A) 10.0.4.5
mail Host (A) 10.0.4.5
Server_R21 Host (A) 10.1.1.21
SERVER_R3 Host (A) 10.1.1.3
SERVER_R4 Host (A) 10.1.1.4
exchange Host (A) 10.1.1.210
We believe that the problem lies on the PIX.
PIX CONFIG
PIX Version 6.3(4)
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intranet security15
no fixup protocol smtp 25
name 99.99.99.40 smtpgateway_out
access-list outside_access_in permit tcp any host 99.99.99.40 eq smtp
access-list outside_access_in permit tcp any host 99.99.99.40 eq www
access-list outside_access_in permit tcp any host 99.99.99.40 eq pop3
access-list outside_access_in permit gre any host 99.99.99.34
access-list outside_access_in permit tcp any host 99.99.99.40 eq https
access-list intranet_access_out permit tcp host 10.0.4.4 any eq smtp
access-list intranet_access_out permit ip host 10.0.4.4 any
access-list intranet_access_out permit ip host 10.0.4.5 any
access-list intranet_access_out permit ip host 10.0.4.6 any
access-list intranet_access_out permit tcp host 10.0.4.11 host 10.1.1.210 gt 135
access-list intranet_access_out permit tcp host 10.0.4.11 host 10.1.1.210 gt www
access-list intranet_access_out permit tcp host 10.0.4.11 host 10.1.1.210 gt smtp
access-list intranet_access_out permit tcp host 10.0.4.11 host 10.1.1.210 gt pop3
access-list intranet_access_out permit tcp host 10.0.4.11 host 10.1.1.210 gt imap4
access-list CAPONE permit tcp host 10.0.4.4 host 192.65.141.129 eq smtp
access-list CAPONE permit tcp host 192.65.141.129 eq smtp host 10.0.4.4
access-list CAPTWO permit tcp host 99.99.99.40 host 192.65.141.129 eq smtp
access-list CAPTWO permit tcp host 192.65.141.129 eq smtp host 99.99.99.40
access-list CAPTHREE permit tcp host 10.0.4.5 host 192.65.141.129 eq pop3
access-list CAPTHREE permit tcp host 192.65.141.129 eq pop3 host 10.0.4.5
ip address outside 99.99.99.34 255.255.255.0
ip address inside 10.1.1.1 255.255.0.0
ip address intranet 10.0.4.1 255.255.255.0
no failover ip address outside
no failover ip address inside
no failover ip address intranet
global (outside) 1 interface
global (outside) 2 99.99.99.40
global (Wireless) 1 interface
global (intranet) 1 interface
nat (inside) 0 access-list nat0_access_list
nat (inside) 2 10.0.4.4 255.255.255.255 0 0
nat (inside) 2 10.0.4.5 255.255.255.255 0 0
nat (inside) 2 10.1.1.31 255.255.255.255 0 0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (intranet) 0 access-list intranet_nat0_access_list
nat (intranet) 1 0.0.0.0 0.0.0.0 0 0
static (intranet,outside) tcp 99.99.99.40 smtp 10.0.4.4 smtp netmask 255.255.255.255 0 0
static (intranet,outside) tcp 99.99.99.40 www 10.0.4.5 www netmask 255.255.255.255 0 0
static (intranet,outside) tcp 99.99.99.40 pop3 10.0.4.5 pop3 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group intranet_access_out in interface intranet
Any ideas as to how to correct the bounce backs and the best way restrict outbound SMTP traffic without interfering with visitors using email clients on laptops and VPN connections?
