petererik
asked on
PIX 506e reverse lookup MX record with Barracuda
Hi,
We have a Barracuda spam appliance in our network. As you can see from the configuration of our PIX 506e below e-mail is forwarded to the Barracuda (ip 10.10.10.12) and then from there it is sent on to our mail server at 10.10.10.10. That works fine.
The firewall WAN address is 1.2.3.3
Our MX record for mail.mydomain.com resolves to public ip address 1.2.3.4
A PTR record exists for address 1.2.3.4 to mail.mydomain.com
But when we send mail from our mail server 10.10.10.10 it is sent via the firewall WAN address of 1.2.3.3, and as a consequence reverse lookup fails (it should return mail.mydomain.com). Therefore many mail servers reject our e-mail because of their policy that reverse lookup must succeed.
How do I configure my PIX so that:
1. Incoming mail will go to the Barracuda at 10.10.10.12
2. Outgoing mail from 10.10.10.10 will be sent via 1.2.3.4
3. AND I can still use the https service on the mail server?
This is my current configuration:
name 10.10.10.12 BARRACUDA
name 1.2.3.4 mail.mydomain.com
name 10.10.10.10 MAILSERVER
access-list outside_access_in permit tcp any host mail.mydomain.com eq smtp
access-list outside_access_in permit tcp any host mail.mydomain.com eq https
static (inside,outside) tcp mail.mydomain.com smtp BARRACUDA smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp mail.mydomain.com https MAILSERVER https netmask 255.255.255.255 0 0
Thanks,
Peter
We have a Barracuda spam appliance in our network. As you can see from the configuration of our PIX 506e below e-mail is forwarded to the Barracuda (ip 10.10.10.12) and then from there it is sent on to our mail server at 10.10.10.10. That works fine.
The firewall WAN address is 1.2.3.3
Our MX record for mail.mydomain.com resolves to public ip address 1.2.3.4
A PTR record exists for address 1.2.3.4 to mail.mydomain.com
But when we send mail from our mail server 10.10.10.10 it is sent via the firewall WAN address of 1.2.3.3, and as a consequence reverse lookup fails (it should return mail.mydomain.com). Therefore many mail servers reject our e-mail because of their policy that reverse lookup must succeed.
How do I configure my PIX so that:
1. Incoming mail will go to the Barracuda at 10.10.10.12
2. Outgoing mail from 10.10.10.10 will be sent via 1.2.3.4
3. AND I can still use the https service on the mail server?
This is my current configuration:
name 10.10.10.12 BARRACUDA
name 1.2.3.4 mail.mydomain.com
name 10.10.10.10 MAILSERVER
access-list outside_access_in permit tcp any host mail.mydomain.com eq smtp
access-list outside_access_in permit tcp any host mail.mydomain.com eq https
static (inside,outside) tcp mail.mydomain.com smtp BARRACUDA smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp mail.mydomain.com https MAILSERVER https netmask 255.255.255.255 0 0
Thanks,
Peter
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
All set. Thanks!
I am having the same issue with the following configuration on a PIX running OS 4.4. What commands do i need to change to get Reverse Lookup working?
I think I want to change my MX record to point to 7.6.31.81 instead of 7.6.31.80, divert smtp to the Barracuda (192.168.90.7) from that IP address?
WAN 7.6.31.80:25 / LAN 192.168.90.7(barracuda) -> WAN 7.6.31.81 / LAN 192.168.90.8 (Exchange)
THIS WORKS
How do i get 7.6.31.81:25 -> 192.168.90.7(barracuda)
HOW?
PIX Settings:
static (inside,internet) 7.6.31.80 192.168.90.7 netmask 255.255.255.255 0 0
static (inside,internet) 7.6.31.81 192.168.90.3 netmask 255.255.255.255 0 0
conduit permit tcp host 7.6.31.80 eq smtp any
conduit permit tcp host 7.6.31.81 eq 143 any
conduit permit tcp host 7.6.31.81 eq 443 any
conduit permit tcp host 7.6.31.81 eq 993 any
conduit permit tcp host 7.6.31.81 eq 587 any
thanks in advance
I think I want to change my MX record to point to 7.6.31.81 instead of 7.6.31.80, divert smtp to the Barracuda (192.168.90.7) from that IP address?
WAN 7.6.31.80:25 / LAN 192.168.90.7(barracuda) -> WAN 7.6.31.81 / LAN 192.168.90.8 (Exchange)
THIS WORKS
How do i get 7.6.31.81:25 -> 192.168.90.7(barracuda)
HOW?
PIX Settings:
static (inside,internet) 7.6.31.80 192.168.90.7 netmask 255.255.255.255 0 0
static (inside,internet) 7.6.31.81 192.168.90.3 netmask 255.255.255.255 0 0
conduit permit tcp host 7.6.31.80 eq smtp any
conduit permit tcp host 7.6.31.81 eq 143 any
conduit permit tcp host 7.6.31.81 eq 443 any
conduit permit tcp host 7.6.31.81 eq 993 any
conduit permit tcp host 7.6.31.81 eq 587 any
thanks in advance
ASKER
I found out from Cisco that this is not possible because the PIX does not support Policy Based Routing. I would need a router to do this.
So what I am going to do is change these lines:
access-list outside_access_in permit tcp any host 1.2.3.3 eq smtp
access-list outside_access_in permit tcp any host 1.2.3.3 eq https
static (inside,outside) tcp 1.2.3.3 smtp BARRACUDA smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.2.3.3 MAILSERVER https netmask 255.255.255.255 0 0
and change my mail.mydomain.com PTR record to 1.2.3.3
Peter