sonicwall tz170 - How do I configure email server public IP

I am having problems with emails being treated as spam when sent to recipients with a Yahoo account.  I have noticed that Yahoo tags the "X-YahooFilteredBulk" and "X-Originating-IP" as xx.xx.xx.190 (which is our public NAT address) when the emails are actually coming from xx.xx.xx.157.  (This IP, xx.157, is also the IP that our MX record points to.)

How do I configure the tz170 to make it so that Yahoo (and others) see the emails as coming from  xx.xx.xx.157 and not xx.xx.xx.190??  (I have an address object and a NAT policy, see below.)

Addr-Obj.JPG
NAT-Policy.JPG
grhelmAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ClintSwineyCommented:
Can we get more information regarding how you have your network setup?

You specified that the pubilc NAT address is x.190 and the Server is x.157 + the Server Private Address address...

Why do you have a public IP address routed via NAT to Email Server Public IP then to Server Private Address?

If you send E-mail to any server it cannot "see" past your NAT, nor will it ever look, all it does is "ask" the connecting computer what it's identity (IP Address) is, it's going to be your Public NAT address every time, whatever you have setup for your WAN IP.

There is no way to spoof this inside the Sonicwall device that I'm aware of.

In order to communicate from the e-mail server as x.157 it needs to have that IP address directly connected to it and send SMTP messages directly from there, not through a NAT.



0
grhelmAuthor Commented:

Thanks for the response!

I don't know why this was setup the way it was.  (I did not set it up.)

How does the receiving computer ask the identity of the sending one?  If you ping smtp.xxxxx.com (the email sever associated with the MX record for our domain), it respond with the xx.157 address.  I don't think I am trying to spoof an IP because this is actually the IP associated with the email server.  It seems more like I am trying to punch a hole through so that externally, xx.157 is recognized as the sender.  (Of course, I could be just clueless on this as I really don't have much experience in dealing with this part of our network.)

0
ClintSwineyCommented:
If you have a mailserver behind a router and you are sending mail the IP address the receiving SMTP server is going to see is the IP address of the WAN side of the router. There is no way around this.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

grhelmAuthor Commented:
Thanks, but this just seems odd to me as I would have to believe that most mailservers (Exchange) are behind a router otherwise how would users on the LAN connect via Outlook, with a POP connection?

If that's not the case then how should this have been setup?

(We also have a application server that is behind the router and is totally accessible from the web and the xx.190 address never comes into play anywhere.)
0
Cas KristCommented:
You should also create a NAT outbound policy. Then your mailserver uses the .157 as outbound address.
When you run the public server wizard it creates 3 NAT policies (inbound, outbound and loopback) and also a firewall rule.

Make a backup of your settings, run the wizard. If you like you can keep it (or you can study it). If you don't like it, restore the original configuration.

In the picture you can see an example of the 3 NAT policies created by the wizard.

You should replace 'X1 IP' with 'EMAIL SERVER PUBLIC IP'.
and 'BF2 SERVER PRIVATE' with EMAIL SERVER PRIVATE ADDRESS, and ofcourse the service with 'EMAIL SERVER SERVICES'.
3NAT-policies.png
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cas KristCommented:
NAT POLICIES:
1 = loopback
2 = outbound
3 = inbound
0
grhelmAuthor Commented:
Thanks caskrist, I'll have to try this after-hours or over the weekend.
0
Cas KristCommented:
Any luck?
0
grhelmAuthor Commented:
I don't know...  (I don't think so.)

I ran the wizard like you suggested, entered the internal IP and left the external as defaulted (xx.190, the public NAT).  But I am not sure how to verify this??  (Emails sent to Yahoo still show the xx.190 address as the Originating-IP.)
0
Cas KristCommented:
You shouldn't left the external address as default, but changed it to the .157 address. Please try to change the newly created NAT policies, everywhere it has the default .190 change it to the .157 address. This should work!
0
grhelmAuthor Commented:
Just to confirm what you are suggesting, I should change each of the three policies shown on the left in the images below to the configuration shown on the right?
ExcNAT.JPG
0
Cas KristCommented:
Yes, you're correct.
0
grhelmAuthor Commented:
caskrist,

I think this worked!!

I just sent an email to my Yahoo test account and the email header shows "X-Originating-IP: [xx.xx.xx.157]" which is the Exchange server's IP!

I am going to let this run for a day just to make sure that there are no conflicts in the NAT "rules" but this looks very promising!

Thanks!!
0
Cas KristCommented:
Glad it worked, thanks for the points.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.