exchange server 2010 reverse hostname error

nairit
nairit used Ask the Experts™
on
Hi

  I have exchange server 2010 server installed almost all email are going out but some of outgoing giving below error
 450-4.7.1 Client host rejected: cannot find your reverse hostname, [213.42.xx.xxx]
 400 4.4.7 Message delayed
450-4.7.1 Client host rejected: cannot find your reverse hostname
  My dns server is managed by ISP and I have configured Mapped IP in Juniper SSG 140 which is pointing external ip to internal ip of exchange server.

I have checked email header which is giving ip address of firewall and not my exchange server external IP.

Please help me resolve this issue as soon as possible how can I change ip address or configuration of firewall or exchange to external ip address of exchange server?

Regards
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
You need to amend your NAT rules so that emails or traffic on port 25 leaving your network goes via the Exchange server external IP not your gateway.

Also note that the rDNS is configured via your ISP, so they would need to configure that. You cannot configure that via externally hosted DNS, your ISP controls the IP, so they would configure that.

Typically if your OWA address is: owa.domainname.com then your rDNS would be owa.domainname.com

Best of luck!

Commented:
Also take note if you have an external spam solution. We ran into this problem as our email was sent to our spambox first to be cleaned but when sending mail out it was sent direct from the server meaning different IP's for sending and receiving. Reverse DNS errors mainly happened when sending to AOL accounts.
Our ISP resolved although from time to time it got deleted and we had to have it recreated by our ISP.

Author

Commented:
Hi
  I have symantec mail security for exchange installed on exchange server
 also NAT rules are working good with zarafa mail server which running another ip
and domain but firewall settings are same for both .
I am using SSG 140 with MIP(mapped IP) for configuring external ip
 to internal ip to external ip.is there any idea that symantec mail gateway giving problem or
shall I configured SSG140 with virtual ip and set diffrent rules for exchange?

nairit
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

Commented:
Your inbound NAT rule will be different to your outbound NAT rule, which if not specified will take the default route of the network, using your firewall WAN IP.

Author

Commented:
Hi netlflo

  My juniper untrust interface is configured as route not NAT and I confirured untrust interface with mapped ip to route traffic from external ip to internal ip.My question is why zarafa mail server sending right ip in header and exchange server is not?

Commented:
Well essentially it goes back to your config, as you can't have the same WAN IP inbound delivering to two email servers on port 25.

Is your Exchange server configured on a DMZ network? Is the interface on the Exchange server a private or public IP?

Author

Commented:
I have 8 public ip address also one ip registered with ISP to domain name ,PTR and MX which is i am transferring to private ip of exchange there is no DMZ port.Please see below message header for more info:
Delivered-To: jay@gmail.com
Received: by 10.220.17.194 with SMTP id t2csp205692vca;
        Thu, 19 Apr 2012 02:29:21 -0700 (PDT)
Received: by 10.180.78.40 with SMTP id y8mr24557337wiw.15.1334827761151;
        Thu, 19 Apr 2012 02:29:21 -0700 (PDT)
Return-Path: <jayesh@mycompany.ae>
Received: from mail.mycompany.ae ([213.42.xx.xxx])<-------firewall external IP
        by mx.google.com with ESMTPS id y4si1584452wec.80.2012.04.19.02.29.19
        (version=TLSv1/SSLv3 cipher=OTHER);
        Thu, 19 Apr 2012 02:29:20 -0700 (PDT)
Received-SPF: neutral (google.com: 213.42.xx.xxx is neither permitted nor denied by best guess record for domain of jayesh@mycompany.ae) client-ip=213.42.xx.xxx;
Authentication-Results: mx.google.com; spf=neutral (google.com: 213.42.XX.XXX is neither permitted nor denied by best guess record for domain of jayesh@mycompany.ae) smtp.mail=jayesh@mycompany.ae
Received: from MAIL.mycompany.ae ([fe81::f874:286a:ff91:52e0]) by
 MAIL.mycompany.ae ([fe81::f874:286a:ff91:52e0%12]) with mapi id 14.02.0283.003;
 Thu, 19 Apr 2012 13:29:19 +0400
Commented:
Again as I said before you have to specify a NAT rule outbound so that the firewall uses the desired IP to send your emails via.

If there is no rule specified, all traffic will take the default route out of the network, which is your firewall WAN IP.

Your issue is not the Exchange server, its the firewall which you need to look at.

This link may help: http://forums.juniper.net/t5/SRX-Services-Gateway/How-do-I-configure-the-outbound-IP-address-on-a-Juniper-SRX100/td-p/79056

Author

Commented:
Hi

 I have tried some configuration from link provided by netflo and juniper but no luck.
Please review below configuration of my SSG-140 configuration please guide me where am I wrong?

set clock dst-off
set clock timezone 4
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "Proxy_8080" protocol tcp src-port 0-65535 dst-port 8080-8080
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin http redirect
set admin mail alert
set admin mail traffic-log
set admin auth web timeout 10
set admin auth server "Local"
set admin auth remote root
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface ethernet0/0 ip 192.168.101.200/22
set interface ethernet0/0 nat
unset interface vlan1 ip
set interface ethernet0/2 ip 213.42.xx.xxx/29 <----This IP address is going to header of all mail
set interface ethernet0/2 nat
set interface ethernet0/2 gateway 213.42.xx.xxx
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/2 ip manageable
unset interface ethernet0/0 g-arp
set interface ethernet0/2 manage ping
set interface ethernet0/2 manage web
unset interface ethernet0/2 g-arp
set interface vlan1 manage mtrace
set interface ethernet0/0 monitor track-ip ip
unset interface ethernet0/0 monitor track-ip dynamic
set interface "ethernet0/2" mip 213.42.xx.xxx host 192.168.101.201 netmask 255.255.255.255 vr "trust-vr"  <---this exchange mail ip
set interface "ethernet0/2" mip 213.42.xx.xxx host 192.168.101.101 netmask 255.255.255.255 vr "trust-vr"  
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 213.42.20.20 src-interface ethernet0/2
set dns host dns2 4.2.2.2 src-interface ethernet0/2
set dns host dns3 0.0.0.0
set address "Trust" "192.168.101.101/32" 192.168.101.101 255.255.255.255
set address "Trust" "192.168.101.201/32" 192.168.101.201 255.255.255.255
set address "Trust" "192.168.101.202/32" 192.168.101.202 255.255.255.255
set address "Trust" "ALJABER-LAN" 192.168.100.0 255.255.252.0
set group service "vpn"
set group service "vpn" add "CustomPPTP"
set group service "vpn" add "vpn_port"
set ike gateway "VPN-GW" dialup "vpn-user-group" Aggr outgoing-interface "ethernet0/2" preshare "0HIbfaGxx/sseyCzBPLVjYn2WHHq6Q==" proposal "pre-g1-des-sha"
unset ike gateway "VPN-GW" nat-traversal udp-checksum
set ike gateway "VPN-GW" nat-traversal keepalive-frequency 0
set ike gateway "Gateway for Any" dialup "VPN-USER-GROUP" Aggr outgoing-interface "ethernet0/2" preshare "PQq3+msGNxx9Ms6DXCimaQfV+neQbMbew==" sec-level compatible
set ike gateway "Gateway for Any" nat-traversal udp-checksum
set ike gateway "Gateway for Any" nat-traversal keepalive-frequency 5
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "Client-VPN" gateway "VPN-GW" no-replay tunnel idletime 0 proposal "nopfs-esp-des-sha"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set attack db sigpack base
set attack db mode Update
set attack db schedule daily 00:00
set url protocol websense
exit
set policy id 9 from "Untrust" to "Trust"  "Any" "ALJABER-LAN" "HTTP" permit log
set policy id 9
exit
set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 2
exit
set policy id 3 from "Untrust" to "Trust"  "Any" "MIP(213.42.xx.xxx)" "citrix" permit
set policy id 3
set dst-address "MIP(213.42.xx.xxx)"
set service "DNS"
set service "GRE"
set service "HTTP"
set service "HTTPS"
set service "POP3"
set service "PPTP"
set service "SMTP"
set service "vpn_port"
set service "MS-EXCHANGE"
set service "vpn"
exit
set policy id 4 from "Untrust" to "Trust"  "Any" "MIP(213.42.xx.xxx)" "HTTP" permit log
set policy id 4
set dst-address "MIP(213.42.xx.xxx)"
set service "HTTPS"
set log session-init
exit
set policy id 5 from "Trust" to "Untrust"  "192.168.101.101/32" "Any" "citrix" permit
set policy id 5
set service "HTTP"
set service "HTTP-EXT"
set service "HTTPS"
set service "Proxy_8080"
set service "UDP-ANY"
exit
set policy id 6 from "Trust" to "Untrust"  "192.168.101.201/32" "Any" "citrix" permit
set policy id 6
set service "DNS"
set service "GRE"
set service "HTTP"
set service "HTTPS"
set service "MS-RPC-ANY"
set service "POP3"
set service "PPTP"
set service "Proxy_8080"
set service "SMTP"
set service "vpn_port"
set service "MS-EXCHANGE"
set service "vpn"
exit
set policy id 8 from "Untrust" to "Trust"  "Dial-Up VPN" "ALJABER-LAN" "ANY" tunnel vpn "Client-VPN" id 0x5 log
set policy id 8
set log session-init
exit
set policy id 10 name "aljaber" from "Untrust" to "Trust"  "Any" "MIP(213.42.xx.xxx)" "ANY" permit log
set policy id 10
exit
set policy id 11 name "aljaber-smtp" from "Trust" to "Untrust"  "192.168.101.201/32" "MIP(213.42.xx.xxx)" "ANY" permit
set policy id 11
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Commented:
I'm afraid I'm not a Juniper guru and though I've gone through your config, I feel that the NAT section has been omitted. Again going back to general networking I still think your answer lies with creating a static NAT rule from the Exchange server to your dedicated WAN IP, as opposed to the default gateway.

See the following PDF: http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf

See the following Juniper KBs: http://kb.juniper.net/InfoCenter/index?page=answers&type=narrow&fac=By+Product.Security+Products.Firewall.Firewall_IPSec+VPN.SSG+Series.SSG+140&question_box=nat&searchid=1237214038614

Author

Commented:
Hi

I got solution my exchange server network card IP default gateway not set to firewall IP address it was set on other network card of server.Thanks for all help..

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial