Link to home
Start Free TrialLog in
Avatar of entserv
entserv

asked on

ASA and setting outbound email IP

We are using the Cisco ASA and using Exchange server.  Currently our MX record points to another server that forwards mail to the inside Exchange server.  What I want to do is make that when mail is sent out from Exchange that the ASA uses the same IP as what's on the MX record instead of the firewall IP.  This is to make sure that any email servers that do reverse MX lookups will accept our mail properly.  How would I best accomplish this via NAT - would I make a global pool for the outside IP?  I though a static one to one would work but I'm not sure that's correct.  I get a little confused when talkinig about Dynamic NAT since I thought Dynamic was one to many and I would think a NAT from the Exchange server to an outside IP would be one to one?  I'm probably confusing myself the more I type - any suggestions greatly appreciated!!
Avatar of grblades
grblades
Flag of United Kingdom of Great Britain and Northern Ireland image

What you are asking is not necessary. The only important thing is that when your server sends mail outside the hame it gives in the HELO/EHLO command matches the IP address it is connecting from. A reverse DNS lookup on the IP should also refer back to the same name.
Having a different set of servers for receiving and sending mail is extremely common and so it would not be expected that the server sending mail from a domain would be in the MX list for that domain.


How would you like to proceed?
If you post your pix configuration I can give you the commands to do as you originally asked or if you are having a problem with some of your mail being classed as spam or rejected I can help you out with that aswell.
Avatar of entserv
entserv

ASKER

Well that's what I would have expected too.  What I believe happened - and this was a few years ago - but we had problems sending emails to AOL (I'm porting over the setup from another firewall to the ASA).  After a little investigation I saw some information that indicated that AOL would only accept email from a site where the MX record is the same as the outbound email IP.  Once we changed that we had no difficulty.  I believe that was the only provider we had issues with.  I believe it was related to trying to combat spam - perhaps that's been changed now.  Does this make sense what I'm describing?
It is possible. If it was a few years ago then it would definetly have changed since SPF has been established since then and AOL would use it. SPF is where you publish a list of machines which are permitted to send email from your domain. Any mail pretending to be from your domain which does not come from a machine in that list can be rejected.

I have links and some infor about this on my website at http://www.gbnetwork.co.uk:/mailscanner (whitelist section).
Avatar of entserv

ASKER

We do have an SPF record so I think I'll see if that alone is enough, otherwise maybe I can check back later and go from there.  AOL has always been a tough provider to email to so it wouldn't surprise me if things are different now than even a few months ago.  Thanks for the help!
ASKER CERTIFIED SOLUTION
Avatar of grblades
grblades
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Forced accept.

Computer101
EE Admin