• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 637
  • Last Modified:

PIX 506e reverse lookup MX record with Barracuda

Hi,

We have a Barracuda spam appliance in our network. As you can see from the configuration of our PIX 506e below e-mail is forwarded to the Barracuda (ip 10.10.10.12) and then from there it is sent on to our mail server at 10.10.10.10. That works fine.

The firewall WAN address is 1.2.3.3
Our MX record for mail.mydomain.com resolves to public ip address 1.2.3.4
A PTR record exists for address 1.2.3.4 to mail.mydomain.com

But when we send mail from our mail server 10.10.10.10 it is sent via the firewall WAN address of 1.2.3.3, and as a consequence reverse lookup fails (it should return mail.mydomain.com). Therefore many mail servers reject our e-mail because of their policy that reverse lookup must succeed.

How do I configure my PIX so that:
1. Incoming mail will go to the Barracuda at 10.10.10.12
2. Outgoing mail from 10.10.10.10 will be sent via 1.2.3.4
3. AND I can still use the https service on the mail server?

This is my current configuration:
name 10.10.10.12 BARRACUDA
name 1.2.3.4 mail.mydomain.com
name 10.10.10.10 MAILSERVER

access-list outside_access_in permit tcp any host mail.mydomain.com eq smtp
access-list outside_access_in permit tcp any host mail.mydomain.com eq https

static (inside,outside) tcp mail.mydomain.com smtp BARRACUDA smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp mail.mydomain.com https MAILSERVER https netmask 255.255.255.255 0 0

Thanks,
Peter
0
petererik
Asked:
petererik
  • 2
1 Solution
 
petererikAuthor Commented:
Update:
I found out from Cisco that this is not possible because the PIX does not support Policy Based Routing. I would need a router to do this.
So what I am going to do is change these lines:
access-list outside_access_in permit tcp any host 1.2.3.3 eq smtp
access-list outside_access_in permit tcp any host 1.2.3.3 eq https

static (inside,outside) tcp 1.2.3.3 smtp BARRACUDA smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 1.2.3.3 MAILSERVER https netmask 255.255.255.255 0 0

and change my mail.mydomain.com PTR record to 1.2.3.3

Peter
0
 
Keith AlabasterCommented:
Is this call complete then Peter?
0
 
petererikAuthor Commented:
All set. Thanks!
0
 
James GlaubigerCommented:
I am having the same issue with the following configuration on a PIX running OS 4.4.   What commands do i need to change to get Reverse Lookup working?

I think I want to change my MX record to point to 7.6.31.81 instead of 7.6.31.80, divert smtp to the Barracuda (192.168.90.7) from that IP address?

WAN 7.6.31.80:25 / LAN 192.168.90.7(barracuda) ->  WAN 7.6.31.81 / LAN 192.168.90.8 (Exchange)
THIS WORKS

How do i get 7.6.31.81:25 -> 192.168.90.7(barracuda)
HOW?

PIX Settings:

static (inside,internet) 7.6.31.80 192.168.90.7 netmask 255.255.255.255 0 0
static (inside,internet) 7.6.31.81 192.168.90.3 netmask 255.255.255.255 0 0

conduit permit tcp host 7.6.31.80 eq smtp any
conduit permit tcp host 7.6.31.81 eq 143 any
conduit permit tcp host 7.6.31.81 eq 443 any
conduit permit tcp host 7.6.31.81 eq 993 any
conduit permit tcp host 7.6.31.81 eq 587 any

thanks in advance
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now