We help IT Professionals succeed at work.

H:RPBL [64.x.x.42] Connection refused due to abuse. Please contact your E-mail provider.

WardElder
WardElder asked
on
2,805 Views
Last Modified: 2012-05-10
Started getting the H:RPBL refused messages today.  I have found that Reverse DNS is failing.  I know why but do not know how to fix it.  Here is the info:

Exchange 2003
PIX 515e firewall

Two SMTP domains are used on the same server: (I will use fake names and IP's)
 - @mail1.com using external IP 1.1.1.1  NATed from 192.168.0.1
 - @mail2.com using external IP 2.2.2.2  NATed from 192.168.0.2
- Both NATed IP's are on the same server.

PIX firewall External IP is 9.9.9.9

When @mail1.com users send an email, the header shows:
 - Microsoft Mail Internet Headers Version 2.0 Received: from smtp.mail1.com ([9.9.9.9]) ...

Because it is showing and IP of 9.9.9.9 the Reverse DNS fails.  It should have shown an IP of 1.1.1.1

The IP in the header is the external IP of the PIX firewall, not the proper external IP of the SMTP server.  I can not find where I can set this.  I assume it is in the NAT portion of the PIX.

Any ideas?
Comment
Watch Question

when you browse internet from the exchange server, what is the external ip address used.
you can go to www.whatismyip.com to test it.

ALso are you using any smtp inspection on the PIX?

Author

Commented:
It would be 9.9.9.9   This is the outside default IP of my PIX firewall.

Author

Commented:
Not sure what you mean by SMTP inspection on the PIX.
in ASA's there is a command which will inspect all the SMTP traffic, i am not sure if you have something similar to

Interface Ethernet2/0
  Inbound inspection rule is OUT-IN
    smtp max-data 20000000 alert is on audit-trail is off timeout 3600

But this doesn't seems to be the issue as your browsing ip is not correct. It should be either 1.1.1.1 or 2.2.2.2

If your server's browsing address is 9.9.9.9, then the email address will also go out with that ip address in the header

Did something change recently? the server's network configuration or PIX change?
ALso make sure that the network binding order (Advanced settings) under Network connections are set properly

Author

Commented:
Not sure if that command even works on the PIX 515.  Old box with old code.

Our Fibre has 7 static IP's.  The router is setup to have 9.9.9.9 as the default IP.  I could change it to 1.1.1.1 but email for domain @mail2.com with IP of 2.2.2.2 would still fail.  It would go out as 1.1.1.1 in the header instead of 2.2.2.2

There must be a way to tell the PIX that when port 25 from IP 192.168.0.2 hits it, go out on external Port 25 and IP 2.2.2.2

Instead it goes out on the Routers default IP.  Just like web trafic goes out on the default IP.

NOTE: I do not do One-to-One NAT mapping.
Is there a reason why you are not doing one to one NAT? Changing the router ip to 1.1.1.1 will mess up 2.2.2.2
How is the mail flow from 2.2.2.2?
How was this working in the past with outgoing address of 9.9.9.9

Author

Commented:
Have been doing one-to-many NAT for over 10 years.  The outgoing IP has always been the router IP.  I checked old emails and they all show 9.9.9.9

It started being an issue today.  Looks like a new anti spam engine is being used that now looks at the IP in the message header instead of just the domain name in the header.

I guess this means changing to one-to-one NAT.  That is of coure "IF" that would solve my problem?
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
If the problem is Reverse DNS, then you need to call your ISP and ask them to set it up on your Fixed IP Address.

You can check out your settings on www.mxtoolbox.com/diagnostic.aspx

If you want more specific details, please either post your domain name which I can hide / obscure or delete, or drop me an email to alanhardisty @ experts-exchange.com

Author

Commented:
The problem is I can only set one Reverse DNS.  The two Domains in question can't both point to the same IP address.  At least that is what my ISP says.  

I will send you and email with the true IP's and info.
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
You don't need more than one Reverse DNS name.

If your server advertises itself as mail.domainabc.com and Reverse DNS is configured as mail.domainsbc.com and mail.domainabc.com resolves in DNS to the IP address you are sending mail from then all will be well.

You can host multiple internal domains and still just have one Reverse DNS name.

Author

Commented:
But I have two Domain Names and only one IP (the router external IP).  The ISP says I cannot have two reverse DNS entries.
eg:
  mail1.com  PTR  9.9.9.9
  mail2.com  PTR  9.9.9.9
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
I have 60 domain names and one IP address.  It is perfectly possible - it just needs to be setup as described above.

Pick one domain name and stick with it.

Please have a read of Demazter's article:

https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2370-Exchange-DNS-Configuration.html

Author

Commented:
Good article but I have two IP address: one for each domain.  The I have a third IP for the router (VPN end point).  Let me see if I can change some things around so that I only use one IP for my mail domains.
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Are you sending all mail out via one IP address or both?

Author

Commented:
All email seems to go out of the one IP that is assigned to the Router.  No emails go out the IP's that are assigned to the MX records.  Remember, I do not do One-to-One NAT.  I think all outbound traffic goes ot the Router's IP.  9.9.9.9 in my example.  It does not appear to matter how or what traffic gets into the server, when traffic is sent out the router, it goes out 9.9.9.9.
Co-Owner
CERTIFIED EXPERT
Top Expert 2011
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
That make perfect sense!...

I am getting my ISP to make some changes right now.  It is 5pm here so I hope they are still working....

I will update you when I have more testing done.
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
No problems. I'm about for a couple of hours (11:00pm for me) if you need any further info.

Alan

Author

Commented:
I have made some changes to the Reverse DNS pointer and my FQDN entry.  They now match.  Things still don't work.

Email senders are still get H:RPBL refused messages.  I can not find any information on this H:RPBL blacklist.  I am not listed on any MXToolbox lists.

Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Please enter your Router IP in this site:

https://www.senderscore.org/

Seems that they may be using this site to verify how ood your IP Address is and it is not looking good!
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
You get a 44 score - I get a 78 score!  Not sure that a higher score is better : (

Looking up a customer of ours - they get a 97 score and a low deliverability risk!  I guess I am nearer the better end of the spectrum and you are not.

Have you been blacklisted lately?
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Visiting http://www.senderbase.org/senderbase_queries/rep_lookup and entering your IP address provides you with a good reputation - so I guess the people you are having problems with might be using a vaguely useless Sender Score Provider.

Probably worth picking up the phone and talking to their IT department.

Alternatively, setup a new SMTP Connector using your ISP's smarthost and send mail for the domain not going anywhere to your ISP's mailserver to deliver to the final destination.
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Okay - more digging brings up this site:

http://dns.l4x.org/rnbl.rpdns.net

Enter your IP in there and you will see that you are listed because you have no Reverse DNS entreis.

This site popped up on the Blacklist check on the original https://www.senderscore.org/ site after entering your IP Address.

Author

Commented:
Thanks, I am now trying to get off the lists.  I just hope the changes I made to the Reverse DNS work...
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Once the Reverse DNS has been set and they see that, you should quickly get off the list - but you might need to encourage them.
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
I see Reverse DNS of remote.asp....group.com currently.  Is that what you set rDNS as or was this already set?
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
As rDNS is currently set as remote.asp.....group.com and remote.asp.....group.com resolves to the same IP address, if you change the FQDN on the server to remote.asp.....group.com - then that is all that is required to make everything correct.

It is the email.asp......group.com that is causing the problem.

Author

Commented:
Yup, that is what I did with the FQDN and the Reveres DNS. I have requested removal from the Blacklists.  
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Okay - looking good on the FQDN side and with Reverse DNS setup - you should be good to get off the blacklist and your mail should flow smoothly.

Fingers crossed you get de-listed asap.

Author

Commented:
All is working again.  Your point on setting the Exchange FQDN to ANY name as long as it matched the FQDN set by my ISP on the RPTR record was the fix.  Both of my SMTP systems now use "THE SAME" FQDN... this solved all the problems in having two SMTP servers sending emails out the same External IP address.  (Getting off the RPTR Blacklists was a pain)

Author

Commented:
One more note, I have a customer with a Sender Score of 100.  They have been around for over 10 years and send thousands of emails.  If things are set correctly and good Spam/AV prevention is in place.. a good score is easy...
Alan HardistyCo-Owner
CERTIFIED EXPERT
Top Expert 2011

Commented:
Great news - now go get yourself a score of 100!

Thanks for the points - hope your mail flows smoothly from now on.

Alan
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.