Solved

H:RPBL [64.x.x.42] Connection refused due to abuse. Please contact your E-mail provider.

Posted on 2010-11-12
32
2,357 Views
Last Modified: 2012-05-10
Started getting the H:RPBL refused messages today.  I have found that Reverse DNS is failing.  I know why but do not know how to fix it.  Here is the info:

Exchange 2003
PIX 515e firewall

Two SMTP domains are used on the same server: (I will use fake names and IP's)
 - @mail1.com using external IP 1.1.1.1  NATed from 192.168.0.1
 - @mail2.com using external IP 2.2.2.2  NATed from 192.168.0.2
- Both NATed IP's are on the same server.

PIX firewall External IP is 9.9.9.9

When @mail1.com users send an email, the header shows:
 - Microsoft Mail Internet Headers Version 2.0 Received: from smtp.mail1.com ([9.9.9.9]) ...

Because it is showing and IP of 9.9.9.9 the Reverse DNS fails.  It should have shown an IP of 1.1.1.1

The IP in the header is the external IP of the PIX firewall, not the proper external IP of the SMTP server.  I can not find where I can set this.  I assume it is in the NAT portion of the PIX.

Any ideas?
0
Comment
Question by:WardElder
  • 15
  • 14
  • 3
32 Comments
 
LVL 8

Expert Comment

by:rr1968
Comment Utility
when you browse internet from the exchange server, what is the external ip address used.
you can go to www.whatismyip.com to test it.

ALso are you using any smtp inspection on the PIX?
0
 

Author Comment

by:WardElder
Comment Utility
It would be 9.9.9.9   This is the outside default IP of my PIX firewall.
0
 

Author Comment

by:WardElder
Comment Utility
Not sure what you mean by SMTP inspection on the PIX.
0
 
LVL 8

Expert Comment

by:rr1968
Comment Utility
in ASA's there is a command which will inspect all the SMTP traffic, i am not sure if you have something similar to

Interface Ethernet2/0
  Inbound inspection rule is OUT-IN
    smtp max-data 20000000 alert is on audit-trail is off timeout 3600

But this doesn't seems to be the issue as your browsing ip is not correct. It should be either 1.1.1.1 or 2.2.2.2

If your server's browsing address is 9.9.9.9, then the email address will also go out with that ip address in the header

Did something change recently? the server's network configuration or PIX change?
ALso make sure that the network binding order (Advanced settings) under Network connections are set properly
0
 

Author Comment

by:WardElder
Comment Utility
Not sure if that command even works on the PIX 515.  Old box with old code.

Our Fibre has 7 static IP's.  The router is setup to have 9.9.9.9 as the default IP.  I could change it to 1.1.1.1 but email for domain @mail2.com with IP of 2.2.2.2 would still fail.  It would go out as 1.1.1.1 in the header instead of 2.2.2.2

There must be a way to tell the PIX that when port 25 from IP 192.168.0.2 hits it, go out on external Port 25 and IP 2.2.2.2

Instead it goes out on the Routers default IP.  Just like web trafic goes out on the default IP.

NOTE: I do not do One-to-One NAT mapping.
0
 
LVL 8

Expert Comment

by:rr1968
Comment Utility
Is there a reason why you are not doing one to one NAT? Changing the router ip to 1.1.1.1 will mess up 2.2.2.2
How is the mail flow from 2.2.2.2?
How was this working in the past with outgoing address of 9.9.9.9
0
 

Author Comment

by:WardElder
Comment Utility
Have been doing one-to-many NAT for over 10 years.  The outgoing IP has always been the router IP.  I checked old emails and they all show 9.9.9.9

It started being an issue today.  Looks like a new anti spam engine is being used that now looks at the IP in the message header instead of just the domain name in the header.

I guess this means changing to one-to-one NAT.  That is of coure "IF" that would solve my problem?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
If the problem is Reverse DNS, then you need to call your ISP and ask them to set it up on your Fixed IP Address.

You can check out your settings on www.mxtoolbox.com/diagnostic.aspx

If you want more specific details, please either post your domain name which I can hide / obscure or delete, or drop me an email to alanhardisty @ experts-exchange.com
0
 

Author Comment

by:WardElder
Comment Utility
The problem is I can only set one Reverse DNS.  The two Domains in question can't both point to the same IP address.  At least that is what my ISP says.  

I will send you and email with the true IP's and info.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
You don't need more than one Reverse DNS name.

If your server advertises itself as mail.domainabc.com and Reverse DNS is configured as mail.domainsbc.com and mail.domainabc.com resolves in DNS to the IP address you are sending mail from then all will be well.

You can host multiple internal domains and still just have one Reverse DNS name.
0
 

Author Comment

by:WardElder
Comment Utility
But I have two Domain Names and only one IP (the router external IP).  The ISP says I cannot have two reverse DNS entries.
eg:
  mail1.com  PTR  9.9.9.9
  mail2.com  PTR  9.9.9.9
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I have 60 domain names and one IP address.  It is perfectly possible - it just needs to be setup as described above.

Pick one domain name and stick with it.

Please have a read of Demazter's article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2370-Exchange-DNS-Configuration.html
0
 

Author Comment

by:WardElder
Comment Utility
Good article but I have two IP address: one for each domain.  The I have a third IP for the router (VPN end point).  Let me see if I can change some things around so that I only use one IP for my mail domains.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Are you sending all mail out via one IP address or both?
0
 

Author Comment

by:WardElder
Comment Utility
All email seems to go out of the one IP that is assigned to the Router.  No emails go out the IP's that are assigned to the MX records.  Remember, I do not do One-to-One NAT.  I think all outbound traffic goes ot the Router's IP.  9.9.9.9 in my example.  It does not appear to matter how or what traffic gets into the server, when traffic is sent out the router, it goes out 9.9.9.9.
0
 
LVL 76

Accepted Solution

by:
Alan Hardisty earned 500 total points
Comment Utility
Okay - so you have two domains (could be more) all being sent out of one IP Address.  All the receiving server cares about is that the Fully Qualified Domain Name on your SMTP Virtual Server resolves correctly to the same IP Address that is connecting to it.

So if you send mail out of IP 123.123.123.123 and your FQDN is mail.domainabc.com - the receiving server will check DNS to see that mail.domainabc.com resolves to IP Address 123.123.123.123 and that the Reverse DNS name of IP Address 123.123.123.123 is mail.domainabc.com.

When mail servers send mail to your server, they could care less about what name your server is advertising iteslf and hey don't care about your Reverse DNS - this is only relevant when YOU are sending.

Does this make sense?
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 

Author Comment

by:WardElder
Comment Utility
That make perfect sense!...

I am getting my ISP to make some changes right now.  It is 5pm here so I hope they are still working....

I will update you when I have more testing done.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
No problems. I'm about for a couple of hours (11:00pm for me) if you need any further info.

Alan
0
 

Author Comment

by:WardElder
Comment Utility
I have made some changes to the Reverse DNS pointer and my FQDN entry.  They now match.  Things still don't work.

Email senders are still get H:RPBL refused messages.  I can not find any information on this H:RPBL blacklist.  I am not listed on any MXToolbox lists.

0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Please enter your Router IP in this site:

https://www.senderscore.org/

Seems that they may be using this site to verify how ood your IP Address is and it is not looking good!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
You get a 44 score - I get a 78 score!  Not sure that a higher score is better : (

Looking up a customer of ours - they get a 97 score and a low deliverability risk!  I guess I am nearer the better end of the spectrum and you are not.

Have you been blacklisted lately?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Visiting http://www.senderbase.org/senderbase_queries/rep_lookup and entering your IP address provides you with a good reputation - so I guess the people you are having problems with might be using a vaguely useless Sender Score Provider.

Probably worth picking up the phone and talking to their IT department.

Alternatively, setup a new SMTP Connector using your ISP's smarthost and send mail for the domain not going anywhere to your ISP's mailserver to deliver to the final destination.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - more digging brings up this site:

http://dns.l4x.org/rnbl.rpdns.net

Enter your IP in there and you will see that you are listed because you have no Reverse DNS entreis.

This site popped up on the Blacklist check on the original https://www.senderscore.org/ site after entering your IP Address.
0
 

Author Comment

by:WardElder
Comment Utility
Thanks, I am now trying to get off the lists.  I just hope the changes I made to the Reverse DNS work...
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Once the Reverse DNS has been set and they see that, you should quickly get off the list - but you might need to encourage them.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
I see Reverse DNS of remote.asp....group.com currently.  Is that what you set rDNS as or was this already set?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
As rDNS is currently set as remote.asp.....group.com and remote.asp.....group.com resolves to the same IP address, if you change the FQDN on the server to remote.asp.....group.com - then that is all that is required to make everything correct.

It is the email.asp......group.com that is causing the problem.
0
 

Author Comment

by:WardElder
Comment Utility
Yup, that is what I did with the FQDN and the Reveres DNS. I have requested removal from the Blacklists.  
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Okay - looking good on the FQDN side and with Reverse DNS setup - you should be good to get off the blacklist and your mail should flow smoothly.

Fingers crossed you get de-listed asap.
0
 

Author Comment

by:WardElder
Comment Utility
All is working again.  Your point on setting the Exchange FQDN to ANY name as long as it matched the FQDN set by my ISP on the RPTR record was the fix.  Both of my SMTP systems now use "THE SAME" FQDN... this solved all the problems in having two SMTP servers sending emails out the same External IP address.  (Getting off the RPTR Blacklists was a pain)
0
 

Author Comment

by:WardElder
Comment Utility
One more note, I have a customer with a Sender Score of 100.  They have been around for over 10 years and send thousands of emails.  If things are set correctly and good Spam/AV prevention is in place.. a good score is easy...
0
 
LVL 76

Expert Comment

by:Alan Hardisty
Comment Utility
Great news - now go get yourself a score of 100!

Thanks for the points - hope your mail flows smoothly from now on.

Alan
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
how to add IIS SMTP to handle application/Scanner relays into office 365.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now