Link to home
Create AccountLog in
Avatar of WardElder

asked on

H:RPBL [64.x.x.42] Connection refused due to abuse. Please contact your E-mail provider.

Started getting the H:RPBL refused messages today.  I have found that Reverse DNS is failing.  I know why but do not know how to fix it.  Here is the info:

Exchange 2003
PIX 515e firewall

Two SMTP domains are used on the same server: (I will use fake names and IP's)
 - using external IP  NATed from
 - using external IP  NATed from
- Both NATed IP's are on the same server.

PIX firewall External IP is

When users send an email, the header shows:
 - Microsoft Mail Internet Headers Version 2.0 Received: from ([]) ...

Because it is showing and IP of the Reverse DNS fails.  It should have shown an IP of

The IP in the header is the external IP of the PIX firewall, not the proper external IP of the SMTP server.  I can not find where I can set this.  I assume it is in the NAT portion of the PIX.

Any ideas?
Avatar of Ragu Ramachandran
Ragu Ramachandran
Flag of India image

when you browse internet from the exchange server, what is the external ip address used.
you can go to to test it.

ALso are you using any smtp inspection on the PIX?
Avatar of WardElder


It would be   This is the outside default IP of my PIX firewall.
Not sure what you mean by SMTP inspection on the PIX.
in ASA's there is a command which will inspect all the SMTP traffic, i am not sure if you have something similar to

Interface Ethernet2/0
  Inbound inspection rule is OUT-IN
    smtp max-data 20000000 alert is on audit-trail is off timeout 3600

But this doesn't seems to be the issue as your browsing ip is not correct. It should be either or

If your server's browsing address is, then the email address will also go out with that ip address in the header

Did something change recently? the server's network configuration or PIX change?
ALso make sure that the network binding order (Advanced settings) under Network connections are set properly
Not sure if that command even works on the PIX 515.  Old box with old code.

Our Fibre has 7 static IP's.  The router is setup to have as the default IP.  I could change it to but email for domain with IP of would still fail.  It would go out as in the header instead of

There must be a way to tell the PIX that when port 25 from IP hits it, go out on external Port 25 and IP

Instead it goes out on the Routers default IP.  Just like web trafic goes out on the default IP.

NOTE: I do not do One-to-One NAT mapping.
Is there a reason why you are not doing one to one NAT? Changing the router ip to will mess up
How is the mail flow from
How was this working in the past with outgoing address of
Have been doing one-to-many NAT for over 10 years.  The outgoing IP has always been the router IP.  I checked old emails and they all show

It started being an issue today.  Looks like a new anti spam engine is being used that now looks at the IP in the message header instead of just the domain name in the header.

I guess this means changing to one-to-one NAT.  That is of coure "IF" that would solve my problem?
Avatar of Alan Hardisty
If the problem is Reverse DNS, then you need to call your ISP and ask them to set it up on your Fixed IP Address.

You can check out your settings on

If you want more specific details, please either post your domain name which I can hide / obscure or delete, or drop me an email to alanhardisty @
The problem is I can only set one Reverse DNS.  The two Domains in question can't both point to the same IP address.  At least that is what my ISP says.  

I will send you and email with the true IP's and info.
You don't need more than one Reverse DNS name.

If your server advertises itself as and Reverse DNS is configured as and resolves in DNS to the IP address you are sending mail from then all will be well.

You can host multiple internal domains and still just have one Reverse DNS name.
But I have two Domain Names and only one IP (the router external IP).  The ISP says I cannot have two reverse DNS entries.
eg:  PTR  PTR
I have 60 domain names and one IP address.  It is perfectly possible - it just needs to be setup as described above.

Pick one domain name and stick with it.

Please have a read of Demazter's article:
Good article but I have two IP address: one for each domain.  The I have a third IP for the router (VPN end point).  Let me see if I can change some things around so that I only use one IP for my mail domains.
Are you sending all mail out via one IP address or both?
All email seems to go out of the one IP that is assigned to the Router.  No emails go out the IP's that are assigned to the MX records.  Remember, I do not do One-to-One NAT.  I think all outbound traffic goes ot the Router's IP. in my example.  It does not appear to matter how or what traffic gets into the server, when traffic is sent out the router, it goes out
Avatar of Alan Hardisty
Alan Hardisty
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
That make perfect sense!...

I am getting my ISP to make some changes right now.  It is 5pm here so I hope they are still working....

I will update you when I have more testing done.
No problems. I'm about for a couple of hours (11:00pm for me) if you need any further info.

I have made some changes to the Reverse DNS pointer and my FQDN entry.  They now match.  Things still don't work.

Email senders are still get H:RPBL refused messages.  I can not find any information on this H:RPBL blacklist.  I am not listed on any MXToolbox lists.

Please enter your Router IP in this site:

Seems that they may be using this site to verify how ood your IP Address is and it is not looking good!
You get a 44 score - I get a 78 score!  Not sure that a higher score is better : (

Looking up a customer of ours - they get a 97 score and a low deliverability risk!  I guess I am nearer the better end of the spectrum and you are not.

Have you been blacklisted lately?
Visiting and entering your IP address provides you with a good reputation - so I guess the people you are having problems with might be using a vaguely useless Sender Score Provider.

Probably worth picking up the phone and talking to their IT department.

Alternatively, setup a new SMTP Connector using your ISP's smarthost and send mail for the domain not going anywhere to your ISP's mailserver to deliver to the final destination.
Okay - more digging brings up this site:

Enter your IP in there and you will see that you are listed because you have no Reverse DNS entreis.

This site popped up on the Blacklist check on the original site after entering your IP Address.
Thanks, I am now trying to get off the lists.  I just hope the changes I made to the Reverse DNS work...
Once the Reverse DNS has been set and they see that, you should quickly get off the list - but you might need to encourage them.
I see Reverse DNS of currently.  Is that what you set rDNS as or was this already set?
As rDNS is currently set as and resolves to the same IP address, if you change the FQDN on the server to - then that is all that is required to make everything correct.

It is the that is causing the problem.
Yup, that is what I did with the FQDN and the Reveres DNS. I have requested removal from the Blacklists.  
Okay - looking good on the FQDN side and with Reverse DNS setup - you should be good to get off the blacklist and your mail should flow smoothly.

Fingers crossed you get de-listed asap.
All is working again.  Your point on setting the Exchange FQDN to ANY name as long as it matched the FQDN set by my ISP on the RPTR record was the fix.  Both of my SMTP systems now use "THE SAME" FQDN... this solved all the problems in having two SMTP servers sending emails out the same External IP address.  (Getting off the RPTR Blacklists was a pain)
One more note, I have a customer with a Sender Score of 100.  They have been around for over 10 years and send thousands of emails.  If things are set correctly and good Spam/AV prevention is in place.. a good score is easy...
Great news - now go get yourself a score of 100!

Thanks for the points - hope your mail flows smoothly from now on.