WardElder
asked on
H:RPBL [64.x.x.42] Connection refused due to abuse. Please contact your E-mail provider.
Started getting the H:RPBL refused messages today. I have found that Reverse DNS is failing. I know why but do not know how to fix it. Here is the info:
Exchange 2003
PIX 515e firewall
Two SMTP domains are used on the same server: (I will use fake names and IP's)
- @mail1.com using external IP 1.1.1.1 NATed from 192.168.0.1
- @mail2.com using external IP 2.2.2.2 NATed from 192.168.0.2
- Both NATed IP's are on the same server.
PIX firewall External IP is 9.9.9.9
When @mail1.com users send an email, the header shows:
- Microsoft Mail Internet Headers Version 2.0 Received: from smtp.mail1.com ([9.9.9.9]) ...
Because it is showing and IP of 9.9.9.9 the Reverse DNS fails. It should have shown an IP of 1.1.1.1
The IP in the header is the external IP of the PIX firewall, not the proper external IP of the SMTP server. I can not find where I can set this. I assume it is in the NAT portion of the PIX.
Any ideas?
Exchange 2003
PIX 515e firewall
Two SMTP domains are used on the same server: (I will use fake names and IP's)
- @mail1.com using external IP 1.1.1.1 NATed from 192.168.0.1
- @mail2.com using external IP 2.2.2.2 NATed from 192.168.0.2
- Both NATed IP's are on the same server.
PIX firewall External IP is 9.9.9.9
When @mail1.com users send an email, the header shows:
- Microsoft Mail Internet Headers Version 2.0 Received: from smtp.mail1.com ([9.9.9.9]) ...
Because it is showing and IP of 9.9.9.9 the Reverse DNS fails. It should have shown an IP of 1.1.1.1
The IP in the header is the external IP of the PIX firewall, not the proper external IP of the SMTP server. I can not find where I can set this. I assume it is in the NAT portion of the PIX.
Any ideas?
ASKER
It would be 9.9.9.9 This is the outside default IP of my PIX firewall.
ASKER
Not sure what you mean by SMTP inspection on the PIX.
in ASA's there is a command which will inspect all the SMTP traffic, i am not sure if you have something similar to
Interface Ethernet2/0
Inbound inspection rule is OUT-IN
smtp max-data 20000000 alert is on audit-trail is off timeout 3600
But this doesn't seems to be the issue as your browsing ip is not correct. It should be either 1.1.1.1 or 2.2.2.2
If your server's browsing address is 9.9.9.9, then the email address will also go out with that ip address in the header
Did something change recently? the server's network configuration or PIX change?
ALso make sure that the network binding order (Advanced settings) under Network connections are set properly
Interface Ethernet2/0
Inbound inspection rule is OUT-IN
smtp max-data 20000000 alert is on audit-trail is off timeout 3600
But this doesn't seems to be the issue as your browsing ip is not correct. It should be either 1.1.1.1 or 2.2.2.2
If your server's browsing address is 9.9.9.9, then the email address will also go out with that ip address in the header
Did something change recently? the server's network configuration or PIX change?
ALso make sure that the network binding order (Advanced settings) under Network connections are set properly
ASKER
Not sure if that command even works on the PIX 515. Old box with old code.
Our Fibre has 7 static IP's. The router is setup to have 9.9.9.9 as the default IP. I could change it to 1.1.1.1 but email for domain @mail2.com with IP of 2.2.2.2 would still fail. It would go out as 1.1.1.1 in the header instead of 2.2.2.2
There must be a way to tell the PIX that when port 25 from IP 192.168.0.2 hits it, go out on external Port 25 and IP 2.2.2.2
Instead it goes out on the Routers default IP. Just like web trafic goes out on the default IP.
NOTE: I do not do One-to-One NAT mapping.
Our Fibre has 7 static IP's. The router is setup to have 9.9.9.9 as the default IP. I could change it to 1.1.1.1 but email for domain @mail2.com with IP of 2.2.2.2 would still fail. It would go out as 1.1.1.1 in the header instead of 2.2.2.2
There must be a way to tell the PIX that when port 25 from IP 192.168.0.2 hits it, go out on external Port 25 and IP 2.2.2.2
Instead it goes out on the Routers default IP. Just like web trafic goes out on the default IP.
NOTE: I do not do One-to-One NAT mapping.
Is there a reason why you are not doing one to one NAT? Changing the router ip to 1.1.1.1 will mess up 2.2.2.2
How is the mail flow from 2.2.2.2?
How was this working in the past with outgoing address of 9.9.9.9
How is the mail flow from 2.2.2.2?
How was this working in the past with outgoing address of 9.9.9.9
ASKER
Have been doing one-to-many NAT for over 10 years. The outgoing IP has always been the router IP. I checked old emails and they all show 9.9.9.9
It started being an issue today. Looks like a new anti spam engine is being used that now looks at the IP in the message header instead of just the domain name in the header.
I guess this means changing to one-to-one NAT. That is of coure "IF" that would solve my problem?
It started being an issue today. Looks like a new anti spam engine is being used that now looks at the IP in the message header instead of just the domain name in the header.
I guess this means changing to one-to-one NAT. That is of coure "IF" that would solve my problem?
If the problem is Reverse DNS, then you need to call your ISP and ask them to set it up on your Fixed IP Address.
You can check out your settings on www.mxtoolbox.com/diagnostic.aspx
If you want more specific details, please either post your domain name which I can hide / obscure or delete, or drop me an email to alanhardisty @ experts-exchange.com
You can check out your settings on www.mxtoolbox.com/diagnostic.aspx
If you want more specific details, please either post your domain name which I can hide / obscure or delete, or drop me an email to alanhardisty @ experts-exchange.com
ASKER
The problem is I can only set one Reverse DNS. The two Domains in question can't both point to the same IP address. At least that is what my ISP says.
I will send you and email with the true IP's and info.
I will send you and email with the true IP's and info.
You don't need more than one Reverse DNS name.
If your server advertises itself as mail.domainabc.com and Reverse DNS is configured as mail.domainsbc.com and mail.domainabc.com resolves in DNS to the IP address you are sending mail from then all will be well.
You can host multiple internal domains and still just have one Reverse DNS name.
If your server advertises itself as mail.domainabc.com and Reverse DNS is configured as mail.domainsbc.com and mail.domainabc.com resolves in DNS to the IP address you are sending mail from then all will be well.
You can host multiple internal domains and still just have one Reverse DNS name.
ASKER
But I have two Domain Names and only one IP (the router external IP). The ISP says I cannot have two reverse DNS entries.
eg:
mail1.com PTR 9.9.9.9
mail2.com PTR 9.9.9.9
eg:
mail1.com PTR 9.9.9.9
mail2.com PTR 9.9.9.9
I have 60 domain names and one IP address. It is perfectly possible - it just needs to be setup as described above.
Pick one domain name and stick with it.
Please have a read of Demazter's article:
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2370-Exchange-DNS-Configuration.html
Pick one domain name and stick with it.
Please have a read of Demazter's article:
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2370-Exchange-DNS-Configuration.html
ASKER
Good article but I have two IP address: one for each domain. The I have a third IP for the router (VPN end point). Let me see if I can change some things around so that I only use one IP for my mail domains.
Are you sending all mail out via one IP address or both?
ASKER
All email seems to go out of the one IP that is assigned to the Router. No emails go out the IP's that are assigned to the MX records. Remember, I do not do One-to-One NAT. I think all outbound traffic goes ot the Router's IP. 9.9.9.9 in my example. It does not appear to matter how or what traffic gets into the server, when traffic is sent out the router, it goes out 9.9.9.9.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
That make perfect sense!...
I am getting my ISP to make some changes right now. It is 5pm here so I hope they are still working....
I will update you when I have more testing done.
I am getting my ISP to make some changes right now. It is 5pm here so I hope they are still working....
I will update you when I have more testing done.
No problems. I'm about for a couple of hours (11:00pm for me) if you need any further info.
Alan
Alan
ASKER
I have made some changes to the Reverse DNS pointer and my FQDN entry. They now match. Things still don't work.
Email senders are still get H:RPBL refused messages. I can not find any information on this H:RPBL blacklist. I am not listed on any MXToolbox lists.
Email senders are still get H:RPBL refused messages. I can not find any information on this H:RPBL blacklist. I am not listed on any MXToolbox lists.
Please enter your Router IP in this site:
https://www.senderscore.org/
Seems that they may be using this site to verify how ood your IP Address is and it is not looking good!
https://www.senderscore.org/
Seems that they may be using this site to verify how ood your IP Address is and it is not looking good!
You get a 44 score - I get a 78 score! Not sure that a higher score is better : (
Looking up a customer of ours - they get a 97 score and a low deliverability risk! I guess I am nearer the better end of the spectrum and you are not.
Have you been blacklisted lately?
Looking up a customer of ours - they get a 97 score and a low deliverability risk! I guess I am nearer the better end of the spectrum and you are not.
Have you been blacklisted lately?
Visiting http://www.senderbase.org/senderbase_queries/rep_lookup and entering your IP address provides you with a good reputation - so I guess the people you are having problems with might be using a vaguely useless Sender Score Provider.
Probably worth picking up the phone and talking to their IT department.
Alternatively, setup a new SMTP Connector using your ISP's smarthost and send mail for the domain not going anywhere to your ISP's mailserver to deliver to the final destination.
Probably worth picking up the phone and talking to their IT department.
Alternatively, setup a new SMTP Connector using your ISP's smarthost and send mail for the domain not going anywhere to your ISP's mailserver to deliver to the final destination.
Okay - more digging brings up this site:
http://dns.l4x.org/rnbl.rpdns.net
Enter your IP in there and you will see that you are listed because you have no Reverse DNS entreis.
This site popped up on the Blacklist check on the original https://www.senderscore.org/ site after entering your IP Address.
http://dns.l4x.org/rnbl.rpdns.net
Enter your IP in there and you will see that you are listed because you have no Reverse DNS entreis.
This site popped up on the Blacklist check on the original https://www.senderscore.org/ site after entering your IP Address.
ASKER
Thanks, I am now trying to get off the lists. I just hope the changes I made to the Reverse DNS work...
Once the Reverse DNS has been set and they see that, you should quickly get off the list - but you might need to encourage them.
I see Reverse DNS of remote.asp....group.com currently. Is that what you set rDNS as or was this already set?
As rDNS is currently set as remote.asp.....group.com and remote.asp.....group.com resolves to the same IP address, if you change the FQDN on the server to remote.asp.....group.com - then that is all that is required to make everything correct.
It is the email.asp......group.com that is causing the problem.
It is the email.asp......group.com that is causing the problem.
ASKER
Yup, that is what I did with the FQDN and the Reveres DNS. I have requested removal from the Blacklists.
Okay - looking good on the FQDN side and with Reverse DNS setup - you should be good to get off the blacklist and your mail should flow smoothly.
Fingers crossed you get de-listed asap.
Fingers crossed you get de-listed asap.
ASKER
All is working again. Your point on setting the Exchange FQDN to ANY name as long as it matched the FQDN set by my ISP on the RPTR record was the fix. Both of my SMTP systems now use "THE SAME" FQDN... this solved all the problems in having two SMTP servers sending emails out the same External IP address. (Getting off the RPTR Blacklists was a pain)
ASKER
One more note, I have a customer with a Sender Score of 100. They have been around for over 10 years and send thousands of emails. If things are set correctly and good Spam/AV prevention is in place.. a good score is easy...
Great news - now go get yourself a score of 100!
Thanks for the points - hope your mail flows smoothly from now on.
Alan
Thanks for the points - hope your mail flows smoothly from now on.
Alan
you can go to www.whatismyip.com to test it.
ALso are you using any smtp inspection on the PIX?