David Williamson
asked on
Control which public IP exchange 2k3 uses to deliver mail?
I have recently been reports from users that email messages are getting bounced back to us from some of our clients. The most recent error says: "Your IP xxx.xxx.xxx.130 does not have a reverse DNS entry"
The way our network is set up currently is basically like this: T1 > Cisco > Watchguard Firebox (doing the NAT) > and our handful of public IPs are assigned on its interface: .130 - .136. A few months ago, we moved our mail server (and accompanying DNS & reverse DNS) from .130 to .132 because we set up a dedicated exchange 2k3 server. But, apparently, when our server connects to another to deliver mail, the .130 address is showing up, which doesn't match our DNS or rDNS.
Any ideas on how I can fix this? The MX, in case anyone wants to do some checking, is mail.wrightengineers.com
The way our network is set up currently is basically like this: T1 > Cisco > Watchguard Firebox (doing the NAT) > and our handful of public IPs are assigned on its interface: .130 - .136. A few months ago, we moved our mail server (and accompanying DNS & reverse DNS) from .130 to .132 because we set up a dedicated exchange 2k3 server. But, apparently, when our server connects to another to deliver mail, the .130 address is showing up, which doesn't match our DNS or rDNS.
Any ideas on how I can fix this? The MX, in case anyone wants to do some checking, is mail.wrightengineers.com
I also did a rDNS lookup at dnsstuff.com and got the following result (see link). I would recommend contacting your ISP and having them set this up again.
http://www.dnsstuff.com/tools/ptr.ch?ip=204.118.126.232
http://www.dnsstuff.com/tools/ptr.ch?ip=204.118.126.232
ASKER
you've got the wrong IP: its 204.118.126.132
ASKER
where did you look that up, btw? If you looked up mail.wrightengineers.com, you wouldn't have gotten a .232 address...
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
its the firebox Core X500. I was thinking the same thing. I may have to pony up for the live security subscription to even find out if that is possible.
I can't find anything telling me how to configure that firewall and I'm not familiar with that brand. I would recommend setting up a rDNS record for .130 first. Point that to mail.wrightengineers.com and that should take care of your problem.
ASKER
will it matter that there are two rDNS entries that have two different public IPs pointing to the same domain name?
No it doesn't. Actually it doesn't matter what the rDNS entry is. When servers look up the rDNS entry they are just trying to see if "owned" by someone and doesn't have the default entry. This would be the case for companies who host their mail somewhere and thus share the same Public IP with several others.
As you wish to have reverse DNS working please use 1-1 NAT instead of having static NAT; let me explain:
By default WG would NAT anything going out using the external IP address; if you wish to have the FB send traffic out using specific IP address, then you can either configure 1-1 NAT or if you have WSM 9.0 in the policy itself you have the option to do that.
What is the version of WSM you have, the actual steps would depend on the version of the software.
Please look at this article from WG website about 1-1 NAT, please note you would need to have username/password for WG site to login and view the article:
https://www.watchguard.com/support/faqs/fireware/91/set_up_1to1nat.htm
Also, note if you have WG software version 8.3.1 or higher; you might not configure 1-1 NAT but choose under Policy Properties->Advanced->NAT; Dyanmic NAT, All traffic in this policy option and specify the public IP there.
Please implement and update.
Thank you.
By default WG would NAT anything going out using the external IP address; if you wish to have the FB send traffic out using specific IP address, then you can either configure 1-1 NAT or if you have WSM 9.0 in the policy itself you have the option to do that.
What is the version of WSM you have, the actual steps would depend on the version of the software.
Please look at this article from WG website about 1-1 NAT, please note you would need to have username/password for WG site to login and view the article:
https://www.watchguard.com/support/faqs/fireware/91/set_up_1to1nat.htm
Also, note if you have WG software version 8.3.1 or higher; you might not configure 1-1 NAT but choose under Policy Properties->Advanced->NAT;
Please implement and update.
Thank you.
ASKER
The version I am running currently is 7.4.1 build 2550. Your idea sounds like exactly what I want to do.
ASKER
I went ahead and added a 1 to 1 NAT entry for the mail server. How can I test it to verify that its now using the correct public IP for mail traffic?
On the mail server go to any website which shows the IP address, eg., http://www.whatismyip.com/
You should see the IP adderss listed as 1-1 NAT IP and not the external IP of the FB.
Please check and update.
Thank you.
You should see the IP adderss listed as 1-1 NAT IP and not the external IP of the FB.
Please check and update.
Thank you.
ASKER
I did that check from the mail server, and still got the .130 address. I was hoping to see the .132. Here is a screenshot of the setting in the firebox:
http://www.wrightengineers.com/screenshots/1to1nat.gif
That seems right, doesn't it?
http://www.wrightengineers.com/screenshots/1to1nat.gif
That seems right, doesn't it?
ASKER
Although, hold on; that site shows the IP for port 80. Does that make a difference? I suppose the 1 to 1 nat should NAT for all traffic to and from that IP...
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Please also make sure that the .132 IP is not listed in the alias under external; in Policy Manager go to Network->Configuration; under External Interface click Aliases button; if .132 is listed here you would need to remove it.
Please note one single IP can either be used in 1-1 NAT or in alias not both; if you have any dependency then that would need to be taken care of.
Thank you.
Please note one single IP can either be used in 1-1 NAT or in alias not both; if you have any dependency then that would need to be taken care of.
Thank you.
ASKER
yes! Whatismyip worked; it now shows the right public IP. I was missing that last step, the dynamic NAT exceptions. That being the case, I think this issue is solved. Thx dpk_wal!
ASKER
I seem to have run into another issue with this...
Upon doing those settings above, the correct public IP was showing up, but with .132 set in 1 to 1 NAT, the exchange server can't smtp to any other. Could it have something to do with the dynamic NAT exclusion setting? If i take the 1 to 1 NAT setting out, as well as the dynamic NAT exception, a telnet to another mail server works. Any ideas?
Upon doing those settings above, the correct public IP was showing up, but with .132 set in 1 to 1 NAT, the exchange server can't smtp to any other. Could it have something to do with the dynamic NAT exclusion setting? If i take the 1 to 1 NAT setting out, as well as the dynamic NAT exception, a telnet to another mail server works. Any ideas?
This should not be the case because we are configuring 1-1 NAT; please advice how have you configured the outgoing SMTP service; you can configure it as:
Outgoing Enabled and Allowed
From Any [if you wish any host on the internal network to be able to connect to outside SMTP server] OR
192.16833.210 [if you wish to allow only your Exchange server to make outbound connections]
To Any
I tried mx/ns/a record lookup on your domain and everything looks good; also telnet on port 25 is going through and giving the banner; just for reference I tried from IP 122.167.1.200. The settings appear fine.
I would like to know when you do telnet to another mail server what happens.; you get blank screen or get connection time out.
Have you made sure that there is no alias under external for the .132 IP address. When we do 1-1 NAT we are telling FB that all incoming traffic on .132 should be forwarded to .210 IP, if allowed; and need NAT exceptions otherwise the packets would continue going out using .130 IP address. So, we need both the settings for the job.
Also what are the results if you do nslookup, tracerroute and pathping for those mail servers.
Please check and advice.
Outgoing Enabled and Allowed
From Any [if you wish any host on the internal network to be able to connect to outside SMTP server] OR
192.16833.210 [if you wish to allow only your Exchange server to make outbound connections]
To Any
I tried mx/ns/a record lookup on your domain and everything looks good; also telnet on port 25 is going through and giving the banner; just for reference I tried from IP 122.167.1.200. The settings appear fine.
I would like to know when you do telnet to another mail server what happens.; you get blank screen or get connection time out.
Have you made sure that there is no alias under external for the .132 IP address. When we do 1-1 NAT we are telling FB that all incoming traffic on .132 should be forwarded to .210 IP, if allowed; and need NAT exceptions otherwise the packets would continue going out using .130 IP address. So, we need both the settings for the job.
Also what are the results if you do nslookup, tracerroute and pathping for those mail servers.
Please check and advice.
ASKER
I missed the alias part, and I removed .132 from the external. The outgoing smtp is Any Any. the incoming is .132 > .210; is that correct?
Telnetting gives me a connection timeout, but I am about to try it after removing the alias...will advise.
Telnetting gives me a connection timeout, but I am about to try it after removing the alias...will advise.
ASKER
well, that must have been it, because now the telnet works, the public IP still shows up as .132 to the outside world, and mail is flowing in and out. Thanks again! Strange how the alias setting is what was preventing all that...
As you have removed alias; there is no way you can setup incoming as .132->.210; I think you should have now configured incoming as:
Enabled and Allowed; From Any; to .132
Good to know that the emails are flowing in and out! :)
Enabled and Allowed; From Any; to .132
Good to know that the emails are flowing in and out! :)
ASKER
This setting seems to be working, though: http://www.wrightengineers.com/screenshots/firebox_smtp.gif
Again, thank you for all your help! I would have had to throw down a big chunk of money to renew my Live Security subscription for Watchguard tech support.
Again, thank you for all your help! I would have had to throw down a big chunk of money to renew my Live Security subscription for Watchguard tech support.
As you have removed alias and have not modified the SMTP service the settings remain the way they are; if you were to delete the entry from To box you would not be add it again this way [due to the absence of alias]; after this the only option left with you would be to click Add, Add Other, and then add the public IP .132.
If fine with you, keep the settings the way they are.
Regards,
Deepak
If fine with you, keep the settings the way they are.
Regards,
Deepak
Pinging host-204-118-126-232.hemon
I also looked up the IP on arin.net and it showed it belonging to Sprintlink rather than pointing to your company.