jforville
asked on
Reverse DNS Public IP NAT
I am looking for a solution to this problem. First, my environment:
Exchange Server 2003 SP2: Assigned ISP Public Address 111.111.111.2
Cisco PIX 506: Outside Interface Assigned ISP Public Address 111.111.111.3; 111.111.111.2 is set as a one-to-one NAT entry pointed to moy mail server.
MX Record Points to mail.domain.com on 111.111.111.2
Reverse DNS PTR setup by ISP is 111.111.111.2 mail.domain.com
My issue is that for certain Mail Servers hosted by AOL and Speakeasy for example, they are rejecting mail from me based on a failed rDNS lookup. I have confirmed that my mail headers when received by the recipient host show my PIX Outside interface of 111.111.111.3. I assume that's why their rDNS lookups fail. Isn't there a way I can resolve this without reconfiguring my network or addressing?
Exchange Server 2003 SP2: Assigned ISP Public Address 111.111.111.2
Cisco PIX 506: Outside Interface Assigned ISP Public Address 111.111.111.3; 111.111.111.2 is set as a one-to-one NAT entry pointed to moy mail server.
MX Record Points to mail.domain.com on 111.111.111.2
Reverse DNS PTR setup by ISP is 111.111.111.2 mail.domain.com
My issue is that for certain Mail Servers hosted by AOL and Speakeasy for example, they are rejecting mail from me based on a failed rDNS lookup. I have confirmed that my mail headers when received by the recipient host show my PIX Outside interface of 111.111.111.3. I assume that's why their rDNS lookups fail. Isn't there a way I can resolve this without reconfiguring my network or addressing?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
jar3817:
I considered doing your suggestion prior to submitting a question here, however, I am concerned that if the rDNS record points to .3 (ie, not my mail server), then it won't match my MX record which is .2 and any attempt to perform an SMTP connection to .3 will fail because that's not my mail server. So ultimately I think this solution may fix problems sending to some mail servers but fail for others which leaves me in the same boat I am in now.
Simon:
My ISP already has the rDNS record pointed to 111.111.111.2 at mail.domain.com which matches the domain my server anncounces itself as. Are you saying that is incorrect? If so, can you give me a sample config statement of what you mean by "correctly?"
I considered doing your suggestion prior to submitting a question here, however, I am concerned that if the rDNS record points to .3 (ie, not my mail server), then it won't match my MX record which is .2 and any attempt to perform an SMTP connection to .3 will fail because that's not my mail server. So ultimately I think this solution may fix problems sending to some mail servers but fail for others which leaves me in the same boat I am in now.
Simon:
My ISP already has the rDNS record pointed to 111.111.111.2 at mail.domain.com which matches the domain my server anncounces itself as. Are you saying that is incorrect? If so, can you give me a sample config statement of what you mean by "correctly?"
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
At the recommendation of the customer ISP, here's what we did that solved the problem:
1.) Added a new "generic" A Record (ie, genericname.domain.com) at the Domain Registrar associated with the outside interface of the firewall 111.111.111.3
2.) The ISP added a new rDNS PTR for 111.111.111.3 pointed to genericname.domain.com
The DNS engineer had his reasons for doing it this way based on his dealings directly with AOL. He talked way too fast for me to ask any more questions about why, so I told him I would trust his judgement and give his solution a try, and it worked. I'm sure your solution, jar3817 and Sembee, would work as well. I would like to split the points between you two. How do I split points between two people?
1.) Added a new "generic" A Record (ie, genericname.domain.com) at the Domain Registrar associated with the outside interface of the firewall 111.111.111.3
2.) The ISP added a new rDNS PTR for 111.111.111.3 pointed to genericname.domain.com
The DNS engineer had his reasons for doing it this way based on his dealings directly with AOL. He talked way too fast for me to ask any more questions about why, so I told him I would trust his judgement and give his solution a try, and it worked. I'm sure your solution, jar3817 and Sembee, would work as well. I would like to split the points between you two. How do I split points between two people?
ASKER
Thanks to you both for your help on supporting me with a solution and Simon for your assistance with splitting the points.
http://www.amset.info/exchange/dnsconfig.asp
Simon.