• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2531
  • Last Modified:

H:RPBL [64.x.x.42] Connection refused due to abuse. Please contact your E-mail provider.

Started getting the H:RPBL refused messages today.  I have found that Reverse DNS is failing.  I know why but do not know how to fix it.  Here is the info:

Exchange 2003
PIX 515e firewall

Two SMTP domains are used on the same server: (I will use fake names and IP's)
 - @mail1.com using external IP 1.1.1.1  NATed from 192.168.0.1
 - @mail2.com using external IP 2.2.2.2  NATed from 192.168.0.2
- Both NATed IP's are on the same server.

PIX firewall External IP is 9.9.9.9

When @mail1.com users send an email, the header shows:
 - Microsoft Mail Internet Headers Version 2.0 Received: from smtp.mail1.com ([9.9.9.9]) ...

Because it is showing and IP of 9.9.9.9 the Reverse DNS fails.  It should have shown an IP of 1.1.1.1

The IP in the header is the external IP of the PIX firewall, not the proper external IP of the SMTP server.  I can not find where I can set this.  I assume it is in the NAT portion of the PIX.

Any ideas?
0
WardElder
Asked:
WardElder
  • 15
  • 14
  • 3
1 Solution
 
rr1968Commented:
when you browse internet from the exchange server, what is the external ip address used.
you can go to www.whatismyip.com to test it.

ALso are you using any smtp inspection on the PIX?
0
 
WardElderAuthor Commented:
It would be 9.9.9.9   This is the outside default IP of my PIX firewall.
0
 
WardElderAuthor Commented:
Not sure what you mean by SMTP inspection on the PIX.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
rr1968Commented:
in ASA's there is a command which will inspect all the SMTP traffic, i am not sure if you have something similar to

Interface Ethernet2/0
  Inbound inspection rule is OUT-IN
    smtp max-data 20000000 alert is on audit-trail is off timeout 3600

But this doesn't seems to be the issue as your browsing ip is not correct. It should be either 1.1.1.1 or 2.2.2.2

If your server's browsing address is 9.9.9.9, then the email address will also go out with that ip address in the header

Did something change recently? the server's network configuration or PIX change?
ALso make sure that the network binding order (Advanced settings) under Network connections are set properly
0
 
WardElderAuthor Commented:
Not sure if that command even works on the PIX 515.  Old box with old code.

Our Fibre has 7 static IP's.  The router is setup to have 9.9.9.9 as the default IP.  I could change it to 1.1.1.1 but email for domain @mail2.com with IP of 2.2.2.2 would still fail.  It would go out as 1.1.1.1 in the header instead of 2.2.2.2

There must be a way to tell the PIX that when port 25 from IP 192.168.0.2 hits it, go out on external Port 25 and IP 2.2.2.2

Instead it goes out on the Routers default IP.  Just like web trafic goes out on the default IP.

NOTE: I do not do One-to-One NAT mapping.
0
 
rr1968Commented:
Is there a reason why you are not doing one to one NAT? Changing the router ip to 1.1.1.1 will mess up 2.2.2.2
How is the mail flow from 2.2.2.2?
How was this working in the past with outgoing address of 9.9.9.9
0
 
WardElderAuthor Commented:
Have been doing one-to-many NAT for over 10 years.  The outgoing IP has always been the router IP.  I checked old emails and they all show 9.9.9.9

It started being an issue today.  Looks like a new anti spam engine is being used that now looks at the IP in the message header instead of just the domain name in the header.

I guess this means changing to one-to-one NAT.  That is of coure "IF" that would solve my problem?
0
 
Alan HardistyCommented:
If the problem is Reverse DNS, then you need to call your ISP and ask them to set it up on your Fixed IP Address.

You can check out your settings on www.mxtoolbox.com/diagnostic.aspx

If you want more specific details, please either post your domain name which I can hide / obscure or delete, or drop me an email to alanhardisty @ experts-exchange.com
0
 
WardElderAuthor Commented:
The problem is I can only set one Reverse DNS.  The two Domains in question can't both point to the same IP address.  At least that is what my ISP says.  

I will send you and email with the true IP's and info.
0
 
Alan HardistyCommented:
You don't need more than one Reverse DNS name.

If your server advertises itself as mail.domainabc.com and Reverse DNS is configured as mail.domainsbc.com and mail.domainabc.com resolves in DNS to the IP address you are sending mail from then all will be well.

You can host multiple internal domains and still just have one Reverse DNS name.
0
 
WardElderAuthor Commented:
But I have two Domain Names and only one IP (the router external IP).  The ISP says I cannot have two reverse DNS entries.
eg:
  mail1.com  PTR  9.9.9.9
  mail2.com  PTR  9.9.9.9
0
 
Alan HardistyCommented:
I have 60 domain names and one IP address.  It is perfectly possible - it just needs to be setup as described above.

Pick one domain name and stick with it.

Please have a read of Demazter's article:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_2370-Exchange-DNS-Configuration.html
0
 
WardElderAuthor Commented:
Good article but I have two IP address: one for each domain.  The I have a third IP for the router (VPN end point).  Let me see if I can change some things around so that I only use one IP for my mail domains.
0
 
Alan HardistyCommented:
Are you sending all mail out via one IP address or both?
0
 
WardElderAuthor Commented:
All email seems to go out of the one IP that is assigned to the Router.  No emails go out the IP's that are assigned to the MX records.  Remember, I do not do One-to-One NAT.  I think all outbound traffic goes ot the Router's IP.  9.9.9.9 in my example.  It does not appear to matter how or what traffic gets into the server, when traffic is sent out the router, it goes out 9.9.9.9.
0
 
Alan HardistyCommented:
Okay - so you have two domains (could be more) all being sent out of one IP Address.  All the receiving server cares about is that the Fully Qualified Domain Name on your SMTP Virtual Server resolves correctly to the same IP Address that is connecting to it.

So if you send mail out of IP 123.123.123.123 and your FQDN is mail.domainabc.com - the receiving server will check DNS to see that mail.domainabc.com resolves to IP Address 123.123.123.123 and that the Reverse DNS name of IP Address 123.123.123.123 is mail.domainabc.com.

When mail servers send mail to your server, they could care less about what name your server is advertising iteslf and hey don't care about your Reverse DNS - this is only relevant when YOU are sending.

Does this make sense?
0
 
WardElderAuthor Commented:
That make perfect sense!...

I am getting my ISP to make some changes right now.  It is 5pm here so I hope they are still working....

I will update you when I have more testing done.
0
 
Alan HardistyCommented:
No problems. I'm about for a couple of hours (11:00pm for me) if you need any further info.

Alan
0
 
WardElderAuthor Commented:
I have made some changes to the Reverse DNS pointer and my FQDN entry.  They now match.  Things still don't work.

Email senders are still get H:RPBL refused messages.  I can not find any information on this H:RPBL blacklist.  I am not listed on any MXToolbox lists.

0
 
Alan HardistyCommented:
Please enter your Router IP in this site:

https://www.senderscore.org/

Seems that they may be using this site to verify how ood your IP Address is and it is not looking good!
0
 
Alan HardistyCommented:
You get a 44 score - I get a 78 score!  Not sure that a higher score is better : (

Looking up a customer of ours - they get a 97 score and a low deliverability risk!  I guess I am nearer the better end of the spectrum and you are not.

Have you been blacklisted lately?
0
 
Alan HardistyCommented:
Visiting http://www.senderbase.org/senderbase_queries/rep_lookup and entering your IP address provides you with a good reputation - so I guess the people you are having problems with might be using a vaguely useless Sender Score Provider.

Probably worth picking up the phone and talking to their IT department.

Alternatively, setup a new SMTP Connector using your ISP's smarthost and send mail for the domain not going anywhere to your ISP's mailserver to deliver to the final destination.
0
 
Alan HardistyCommented:
Okay - more digging brings up this site:

http://dns.l4x.org/rnbl.rpdns.net

Enter your IP in there and you will see that you are listed because you have no Reverse DNS entreis.

This site popped up on the Blacklist check on the original https://www.senderscore.org/ site after entering your IP Address.
0
 
WardElderAuthor Commented:
Thanks, I am now trying to get off the lists.  I just hope the changes I made to the Reverse DNS work...
0
 
Alan HardistyCommented:
Once the Reverse DNS has been set and they see that, you should quickly get off the list - but you might need to encourage them.
0
 
Alan HardistyCommented:
I see Reverse DNS of remote.asp....group.com currently.  Is that what you set rDNS as or was this already set?
0
 
Alan HardistyCommented:
As rDNS is currently set as remote.asp.....group.com and remote.asp.....group.com resolves to the same IP address, if you change the FQDN on the server to remote.asp.....group.com - then that is all that is required to make everything correct.

It is the email.asp......group.com that is causing the problem.
0
 
WardElderAuthor Commented:
Yup, that is what I did with the FQDN and the Reveres DNS. I have requested removal from the Blacklists.  
0
 
Alan HardistyCommented:
Okay - looking good on the FQDN side and with Reverse DNS setup - you should be good to get off the blacklist and your mail should flow smoothly.

Fingers crossed you get de-listed asap.
0
 
WardElderAuthor Commented:
All is working again.  Your point on setting the Exchange FQDN to ANY name as long as it matched the FQDN set by my ISP on the RPTR record was the fix.  Both of my SMTP systems now use "THE SAME" FQDN... this solved all the problems in having two SMTP servers sending emails out the same External IP address.  (Getting off the RPTR Blacklists was a pain)
0
 
WardElderAuthor Commented:
One more note, I have a customer with a Sender Score of 100.  They have been around for over 10 years and send thousands of emails.  If things are set correctly and good Spam/AV prevention is in place.. a good score is easy...
0
 
Alan HardistyCommented:
Great news - now go get yourself a score of 100!

Thanks for the points - hope your mail flows smoothly from now on.

Alan
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

  • 15
  • 14
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now