entserv
asked on
ASA and setting outbound email IP
We are using the Cisco ASA and using Exchange server. Currently our MX record points to another server that forwards mail to the inside Exchange server. What I want to do is make that when mail is sent out from Exchange that the ASA uses the same IP as what's on the MX record instead of the firewall IP. This is to make sure that any email servers that do reverse MX lookups will accept our mail properly. How would I best accomplish this via NAT - would I make a global pool for the outside IP? I though a static one to one would work but I'm not sure that's correct. I get a little confused when talkinig about Dynamic NAT since I thought Dynamic was one to many and I would think a NAT from the Exchange server to an outside IP would be one to one? I'm probably confusing myself the more I type - any suggestions greatly appreciated!!
ASKER
Well that's what I would have expected too. What I believe happened - and this was a few years ago - but we had problems sending emails to AOL (I'm porting over the setup from another firewall to the ASA). After a little investigation I saw some information that indicated that AOL would only accept email from a site where the MX record is the same as the outbound email IP. Once we changed that we had no difficulty. I believe that was the only provider we had issues with. I believe it was related to trying to combat spam - perhaps that's been changed now. Does this make sense what I'm describing?
It is possible. If it was a few years ago then it would definetly have changed since SPF has been established since then and AOL would use it. SPF is where you publish a list of machines which are permitted to send email from your domain. Any mail pretending to be from your domain which does not come from a machine in that list can be rejected.
I have links and some infor about this on my website at http://www.gbnetwork.co.uk:/mailscanner (whitelist section).
I have links and some infor about this on my website at http://www.gbnetwork.co.uk:/mailscanner (whitelist section).
ASKER
We do have an SPF record so I think I'll see if that alone is enough, otherwise maybe I can check back later and go from there. AOL has always been a tough provider to email to so it wouldn't surprise me if things are different now than even a few months ago. Thanks for the help!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Forced accept.
Computer101
EE Admin
Computer101
EE Admin
Having a different set of servers for receiving and sending mail is extremely common and so it would not be expected that the server sending mail from a domain would be in the MX list for that domain.
How would you like to proceed?
If you post your pix configuration I can give you the commands to do as you originally asked or if you are having a problem with some of your mail being classed as spam or rejected I can help you out with that aswell.