We help IT Professionals succeed at work.

Control which public IP exchange 2k3 uses to deliver mail?

David Williamson
on
275 Views
Last Modified: 2012-08-14
I have recently been reports from users that email messages are getting bounced back to us from some of our clients.  The most recent error says: "Your IP xxx.xxx.xxx.130 does not have a reverse DNS entry"

The way our network is set up currently is basically like this: T1 > Cisco > Watchguard Firebox (doing the NAT) >  and our handful of public IPs are assigned on its interface: .130 - .136.  A few months ago, we moved our mail server (and accompanying DNS & reverse DNS) from .130 to .132 because we set up a dedicated exchange 2k3 server.  But, apparently, when our server connects to another to deliver mail, the .130 address is showing up, which doesn't match our DNS or rDNS.

Any ideas on how I can fix this?  The MX, in case anyone wants to do some checking, is mail.wrightengineers.com
Comment
Watch Question

Commented:
It doesn't look like you have rDNS setup for 204.118.126.232.  When I do a reverse lookup I get
Pinging host-204-118-126-232.hemonc1.com [204.118.126.232].  
I also looked up the IP on arin.net and it showed it belonging to Sprintlink rather than pointing to your company.

Commented:
I also did a rDNS lookup at dnsstuff.com and got the following result (see link).  I would recommend contacting your ISP and having them set this up again.
http://www.dnsstuff.com/tools/ptr.ch?ip=204.118.126.232
David WilliamsonIT Director

Author

Commented:
you've got the wrong IP: its 204.118.126.132
David WilliamsonIT Director

Author

Commented:
where did you look that up, btw?  If you looked up mail.wrightengineers.com, you wouldn't have gotten a .232 address...
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
David WilliamsonIT Director

Author

Commented:
its the firebox Core X500.  I was thinking the same thing.  I may have to pony up for the live security subscription to even find out if that is possible.

Commented:
I can't find anything telling me how to configure that firewall and I'm not familiar with that brand.  I would recommend setting up a rDNS record for .130 first.  Point that to mail.wrightengineers.com and that should take care of your problem.
David WilliamsonIT Director

Author

Commented:
will it matter that there are two rDNS entries that have two different public IPs pointing to the same domain name?

Commented:
No it doesn't.  Actually it doesn't matter what the rDNS entry is.  When servers look up the rDNS entry they are just trying to see if "owned" by someone and doesn't have the default entry.  This would be the case for companies who host their mail somewhere and thus share the same Public IP with several others.  
CERTIFIED EXPERT
Top Expert 2007

Commented:
As you wish to have reverse DNS working please use 1-1 NAT instead of having static NAT; let me explain:

By default WG would NAT anything going out using the external IP address; if you wish to have the FB send traffic out using specific IP address, then you can either configure 1-1 NAT or if you have WSM 9.0 in the policy itself you have the option to do that.

What is the version of WSM you have, the actual steps would depend on the version of the software.

Please look at this article from WG website about 1-1 NAT, please note you would need to have username/password for WG site to login and view the article:
https://www.watchguard.com/support/faqs/fireware/91/set_up_1to1nat.htm

Also, note if you have WG software version 8.3.1 or higher; you might not configure 1-1 NAT but choose under Policy Properties->Advanced->NAT; Dyanmic NAT, All traffic in this policy option and specify the public IP there.

Please implement and update.

Thank you.
David WilliamsonIT Director

Author

Commented:
The version I am running currently is 7.4.1 build 2550.  Your idea sounds like exactly what I want to do.
David WilliamsonIT Director

Author

Commented:
I went ahead and added a 1 to 1 NAT entry for the mail server.  How can I test it to verify that its now using the correct public IP for mail traffic?
CERTIFIED EXPERT
Top Expert 2007

Commented:
On the mail server go to any website which shows the IP address, eg., http://www.whatismyip.com/

You should see the IP adderss listed as 1-1 NAT IP and not the external IP of the FB.

Please check and update.

Thank you.
David WilliamsonIT Director

Author

Commented:
I did that check from the mail server, and still got the .130 address.  I was hoping to see the .132.  Here is a screenshot of the setting in the firebox:

http://www.wrightengineers.com/screenshots/1to1nat.gif

That seems right, doesn't it?
David WilliamsonIT Director

Author

Commented:
Although, hold on; that site shows the IP for port 80.  Does that make a difference?  I suppose the 1 to 1 nat should NAT for all traffic to and from that IP...
CERTIFIED EXPERT
Top Expert 2007
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT
Top Expert 2007

Commented:
Please also make sure that the .132 IP is not listed in the alias under external; in Policy Manager go to Network->Configuration; under External Interface click Aliases button; if .132 is listed here you would need to remove it.

Please note one single IP can either be used in 1-1 NAT or in alias not both; if you have any dependency then that would need to be taken care of.

Thank you.
David WilliamsonIT Director

Author

Commented:
yes!  Whatismyip worked; it now shows the right public IP.  I was missing that last step, the dynamic NAT exceptions.  That being the case, I think this issue is solved.  Thx dpk_wal!
David WilliamsonIT Director

Author

Commented:
I seem to have run into another issue with this...

Upon doing those settings above, the correct public IP was showing up, but with .132 set in 1 to 1 NAT, the exchange server can't smtp to any other.  Could it have something to do with the dynamic NAT exclusion setting?  If i take the 1 to 1 NAT setting out, as well as the dynamic NAT exception, a telnet to another mail server works.  Any ideas?
CERTIFIED EXPERT
Top Expert 2007

Commented:
This should not be the case because we are configuring 1-1 NAT; please advice how have you configured the outgoing SMTP service; you can configure it as:
Outgoing Enabled and Allowed
From Any [if you wish any host on the internal network to be able to connect to outside SMTP server] OR
         192.16833.210 [if you wish to allow only your Exchange server to make outbound connections]
To Any

I tried mx/ns/a record lookup on your domain and everything looks good; also telnet on port 25 is going through and giving the banner; just for reference I tried from IP 122.167.1.200. The settings appear fine.

I would like to know when you do telnet to another mail server what happens.; you get blank screen or get connection time out.

Have you made sure that there is no alias under external for the .132 IP address. When we do 1-1 NAT we are telling FB that all incoming traffic on .132 should be forwarded to .210 IP, if allowed; and need NAT exceptions otherwise the packets would continue going out using .130 IP address. So, we need both the settings for the job.
Also what are the results if you do nslookup, tracerroute and pathping for those mail servers.

Please check and advice.
David WilliamsonIT Director

Author

Commented:
I missed the alias part, and I removed .132 from the external.  The outgoing smtp is Any Any.  the incoming is .132 > .210; is that correct?

Telnetting gives me a connection timeout, but I am about to try it after removing the alias...will advise.
David WilliamsonIT Director

Author

Commented:
well, that must have been it, because now the telnet works, the public IP still shows up as .132 to the outside world, and mail is flowing in and out.  Thanks again!  Strange how the alias setting is what was preventing all that...
CERTIFIED EXPERT
Top Expert 2007

Commented:
As you have removed alias; there is no way you can setup incoming as .132->.210; I think you should have now configured incoming as:
Enabled and Allowed; From Any; to .132

Good to know that the emails are flowing in and out! :)
David WilliamsonIT Director

Author

Commented:
This setting seems to be working, though: http://www.wrightengineers.com/screenshots/firebox_smtp.gif

Again, thank you for all your help!  I would have had to throw down a big chunk of money to renew my Live Security subscription for Watchguard tech support.
CERTIFIED EXPERT
Top Expert 2007

Commented:
As you have removed alias and have not modified the SMTP service the settings remain the way they are; if you were to delete the entry from To box you would not be add it again this way [due to the absence of alias]; after this the only option left with you would be to click Add, Add Other, and then add the public IP .132.

If fine with you, keep the settings the way they are.

Regards,
Deepak

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.