w33mhz
asked on
Separate IP Address for outgoing SMTP traffic.
I would like to setup my Cisco PIX-515E to use a different IP address for outgoing SMTP traffic than all other outgoing traffic. Is this possible? Currently all traffic is using the same external IP address. This is fine except for the fact that my MX record with my ISP is different than the actual IP address it is using. I am currently setup to recieve SMTP traffic for that MX record. I would like to have my out going SMTP traffic use the address of my MX record with all other traffic to use the current IP Address that everything is using now.
Jan Bacher
Is your mail server on its own machine behind the firewall that a single fixed static entry in and out for that machine will work and does the public MX IP belong to the assigned IPs transitting through the PIX?
Hi
For the smtp to have its own exclusive ip address, it would need to have a seperate static to the rest of the natted traffic. ie. you may see lines in your PIX config natting traffic and using PAT to translate your smtp server
e.g.
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
static (inside,outside) tcp interface 25 [smtp server] 25 netmask 255.255.255.255
In this example all internal network is natted to the interface (which is the outside interface ip) as is the smtp server.
You would need to change your smtp translation to a different ip by removing the static above and entering:
static (inside,outside) [public ip] [smtp server] netmask 255.255.255.255
And changing any related access-lists for this new address. Do you have a free ip address to do this with?
hth
For the smtp to have its own exclusive ip address, it would need to have a seperate static to the rest of the natted traffic. ie. you may see lines in your PIX config natting traffic and using PAT to translate your smtp server
e.g.
nat (inside) 1 0.0.0.0 0.0.0.0
global (outside) 1 interface
static (inside,outside) tcp interface 25 [smtp server] 25 netmask 255.255.255.255
In this example all internal network is natted to the interface (which is the outside interface ip) as is the smtp server.
You would need to change your smtp translation to a different ip by removing the static above and entering:
static (inside,outside) [public ip] [smtp server] netmask 255.255.255.255
And changing any related access-lists for this new address. Do you have a free ip address to do this with?
hth
does it matter where mail leaves from? Thats not a responsibility of mx records is it? Mx is for incomming mail and telling the world where to send it...
just send it out via another net connection through another firewall / router? Whats the drama :S?
Or you can just pass on mail to another smtp server and have it deal with it, therefore not releasing your IP to the piblic (which i assume is why nyou are doing this?). They could tho see the header info and where it origionated from, but most likley that'd be an internal IP anyway, and in that case who cares.
just send it out via another net connection through another firewall / router? Whats the drama :S?
Or you can just pass on mail to another smtp server and have it deal with it, therefore not releasing your IP to the piblic (which i assume is why nyou are doing this?). They could tho see the header info and where it origionated from, but most likley that'd be an internal IP anyway, and in that case who cares.
i will try to talk to you from the server side not from the pix side you can add an extra ip to the server and add a nat command to the pix to resolve the ip address that you added to the server
ASKER
OK, to answer all the questions
Yes it is on it own box, Yes I have an external IP I can give it. The external IP address of the outgoing mail does NOT have to be the same as the MX record, but these days with all the spam firewalls and blacklisting, if your sending IP address doesn't match your MX you can (not saying definitely will) get classified as SPAM because the 2 aren't the same. That is my "drama", we got blacklisted a week or so ago and I am still trying to clean up the residules from that mess. Now that we did get off the blacklist we still aren't free and clear.
Yes I could try to pass the mail on to my ISP's mail server, but quite frankly I don't trust them, in the respects that my mail would get delivered in a timely manner. I just had an insident the other day where I had to use other DNS servers for my forwarder instead of my ISP's because they were having issues with them, not an uncommon thing for them, but this is all besides the point.
I don't believe on my config there is any lines that state:
nat (inside) x.x.x.x 0.0.0.0 or
global (outside) 1 interface
but i will check again, i do miss things now and then. I do think you are on to something with that though, I just really don't now the syntax for it real well.
Yes it is on it own box, Yes I have an external IP I can give it. The external IP address of the outgoing mail does NOT have to be the same as the MX record, but these days with all the spam firewalls and blacklisting, if your sending IP address doesn't match your MX you can (not saying definitely will) get classified as SPAM because the 2 aren't the same. That is my "drama", we got blacklisted a week or so ago and I am still trying to clean up the residules from that mess. Now that we did get off the blacklist we still aren't free and clear.
Yes I could try to pass the mail on to my ISP's mail server, but quite frankly I don't trust them, in the respects that my mail would get delivered in a timely manner. I just had an insident the other day where I had to use other DNS servers for my forwarder instead of my ISP's because they were having issues with them, not an uncommon thing for them, but this is all besides the point.
I don't believe on my config there is any lines that state:
nat (inside) x.x.x.x 0.0.0.0 or
global (outside) 1 interface
but i will check again, i do miss things now and then. I do think you are on to something with that though, I just really don't now the syntax for it real well.
If your MX server is not the same as your outbound relay server, you will not get blacklisted. There are just too many companies and providers that split these functions with different [sets] of servers.
If you truly want to minimize spam:
1) Force all company traffic to use the relay mail server by blocking port 25 except to your own relay server
2) Use SPF records
3) Quickly follow-up on complaints and respond with a description on how you handled the offender
4) Make sure forward and inverse DNS for your outbound mail server match
5) If you're using a *nix mail relay server, optionally install MailScanner+Spamassassin+C
If you truly want to minimize spam:
1) Force all company traffic to use the relay mail server by blocking port 25 except to your own relay server
2) Use SPF records
3) Quickly follow-up on complaints and respond with a description on how you handled the offender
4) Make sure forward and inverse DNS for your outbound mail server match
5) If you're using a *nix mail relay server, optionally install MailScanner+Spamassassin+C
ASKER
OK, like I said before I do miss things now and then, but here we go.
I have the following listed
global (outside) 2 x.x.x.x
global (outside) 3 InetServices
global (outside) 5 SMTPAccess
global (DMZ) 2 interface
nat (inside) 0 access-list nonat
nat (inside) 2 DSM_LAN 255.255.0.0 0 0
nat (inside) 2 WAN_Networks 255.255.0.0 0 0
The "SMTPAccess" is the address of my MX record, so I think I am half way there, already but I need to do like jesper sugested and block all smtp traffic outbound except for my mail server. But how do I force that allowed traffic to you a different IP address? Would the following cmd be correct to limit my smtp traffic?
access-list mail permit ip host SMTPOut any
SMTPout is the internal IP address of my mail server
I have the following listed
global (outside) 2 x.x.x.x
global (outside) 3 InetServices
global (outside) 5 SMTPAccess
global (DMZ) 2 interface
nat (inside) 0 access-list nonat
nat (inside) 2 DSM_LAN 255.255.0.0 0 0
nat (inside) 2 WAN_Networks 255.255.0.0 0 0
The "SMTPAccess" is the address of my MX record, so I think I am half way there, already but I need to do like jesper sugested and block all smtp traffic outbound except for my mail server. But how do I force that allowed traffic to you a different IP address? Would the following cmd be correct to limit my smtp traffic?
access-list mail permit ip host SMTPOut any
SMTPout is the internal IP address of my mail server
Are you asking how to create an ACL to limit outbound port 25 connections?
ASKER
Yes that is what I am asking.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome now how do I have all traffic with port 25 use a certain IP address
Is port 25 traffic going to originate from more than one machine and is the IP that you want to use part of the public network block on the firewall?
ASKER
It is currently one machine. I will have another later down the road. I believe I can just use an object-group for that can't I?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank You, I will try that out.