Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


ASA and setting outbound email IP

Posted on 2007-10-05
Medium Priority
Last Modified: 2010-04-09
We are using the Cisco ASA and using Exchange server.  Currently our MX record points to another server that forwards mail to the inside Exchange server.  What I want to do is make that when mail is sent out from Exchange that the ASA uses the same IP as what's on the MX record instead of the firewall IP.  This is to make sure that any email servers that do reverse MX lookups will accept our mail properly.  How would I best accomplish this via NAT - would I make a global pool for the outside IP?  I though a static one to one would work but I'm not sure that's correct.  I get a little confused when talkinig about Dynamic NAT since I thought Dynamic was one to many and I would think a NAT from the Exchange server to an outside IP would be one to one?  I'm probably confusing myself the more I type - any suggestions greatly appreciated!!
Question by:entserv
  • 3
  • 2
LVL 36

Expert Comment

ID: 20022119
What you are asking is not necessary. The only important thing is that when your server sends mail outside the hame it gives in the HELO/EHLO command matches the IP address it is connecting from. A reverse DNS lookup on the IP should also refer back to the same name.
Having a different set of servers for receiving and sending mail is extremely common and so it would not be expected that the server sending mail from a domain would be in the MX list for that domain.

How would you like to proceed?
If you post your pix configuration I can give you the commands to do as you originally asked or if you are having a problem with some of your mail being classed as spam or rejected I can help you out with that aswell.

Author Comment

ID: 20022158
Well that's what I would have expected too.  What I believe happened - and this was a few years ago - but we had problems sending emails to AOL (I'm porting over the setup from another firewall to the ASA).  After a little investigation I saw some information that indicated that AOL would only accept email from a site where the MX record is the same as the outbound email IP.  Once we changed that we had no difficulty.  I believe that was the only provider we had issues with.  I believe it was related to trying to combat spam - perhaps that's been changed now.  Does this make sense what I'm describing?
LVL 36

Expert Comment

ID: 20022241
It is possible. If it was a few years ago then it would definetly have changed since SPF has been established since then and AOL would use it. SPF is where you publish a list of machines which are permitted to send email from your domain. Any mail pretending to be from your domain which does not come from a machine in that list can be rejected.

I have links and some infor about this on my website at http://www.gbnetwork.co.uk:/mailscanner (whitelist section).
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Comment

ID: 20022358
We do have an SPF record so I think I'll see if that alone is enough, otherwise maybe I can check back later and go from there.  AOL has always been a tough provider to email to so it wouldn't surprise me if things are different now than even a few months ago.  Thanks for the help!
LVL 36

Accepted Solution

grblades earned 200 total points
ID: 20022400
AOL are not that bad. You can register with their spam complaints department and any mail that you send which people class as spam get reported to you aswell so you can go through and remove them from mailing lists manually.

Hotmail are by far the worst. They can decide to start classifying you as a spammer and all mail gets accepted and automatically deleted without going into the user spam folder. They refuse to whitelist or give any information why the sender is being blocked. I have seen a few people having hotmail issues like this.

Expert Comment

ID: 20370049
Forced accept.

EE Admin

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question