Outgoing emails fail to certain recipients, but not to others. Suspect Cisco PIX configuration is not allowing reverse lookups.
Posted on 2006-10-26
Firstly, a little about my system. I am using MS Small Business Server 2003, with f-secure proofpoint email gateway (it is fantastic!!!)and a Cisco PIX firewall. The proofpoing gateway is a recent addition and the problems started at the point that it was installed, and it is reasonable to point a finger either to that, or the changes made to the rest of the system in order to accommodate it - such as changes to the PIX.
Now the problem. I'm having some problems sending mail to certain addresses, where we get non-delivery receipts, often with custom worded error messages such as "sorry we don't accept mail from spammers" or "This system has been configured to reject your mail". I'm fairly sure that the problem is to do with certain mail systems performing reverse lookups, which are failing, but I'm a little unsure quite what to do about it.
Looking at a NDR received today, the sending address is 188.8.131.52 but our incoming mail is sent to 184.108.40.206; is this a common practice?
If I do a reverse lookup on 220.127.116.11, mail.prospec.co.uk is returned, but if I do a reverse lookup on 18.104.22.168 I get the response that there are no PTR records for this domain, which is understandable as this is the outgoing address.
I think it is a problem with the way in which the PIX is configured - it is not letting reverse lookups in.
It is important to note that I have made some recent changes to the PIX, and it is since those changes that the problems have started. To validate this, I have successfully sent a mail using the original PIX configuration, to a recipient that we get NDRs from when using the new PIX configuration, which proves that the problem is either a. a problem with the PIX configuration or b. a problem with the email gateway (f-secure proofpoint appliance), although I suspect it is the PIX.
The changes that I made were to accomodate the proofpoint appliance, where instead of all incoming traffic going to 10.0.0.2 (original configuration), I now filter smtp traffic and forward that to 10.0.0.3 (proofpoint appliance), and forward http to 10.0.0.2.
I guess that now that I am being specific about certain types of traffic, I must specifically allow reverse lookups in, but I haven't a clue where to start and can't find anything on the web.
The original PIX config used the following command to route traffic to the server "static (inside,outside) 22.214.171.124 10.0.0.2 netmask 255.255.255.255 0 0 ", but the changes that I have made routes smtp traffice to the email gateway and http to the server as follows "static (inside,outside) tcp 126.96.36.199 smtp 10.0.0.3 smtp netmask 255.255.255.255 0 0
static (inside,outside) tcp 188.8.131.52 http 10.0.0.2 http netmask 255.255.255.255 0 0
static (inside,outside) tcp 184.108.40.206 https 10.0.0.2 https netmask 255.255.255.255 0 0 "
But, I don't understand why the reverse lookups worked in the first place - to 220.127.116.11 - because the only changes that I made were to the static commands, which did not include 18.104.22.168, but they did.
I look forward to a resolution to this problem, which may, or may not, be a problem with the PIX configuration - I may have got it badly wrong as this is not an area that I confess to being very knowledgable about.