Solved

Exchange 2010 smtp headers show WAN IP not NAT'ed Exchange IP

Posted on 2013-01-30
3
754 Views
Last Modified: 2013-01-31
good morning all,

we've been tracing a phantom rDNS record (which we found our ISP was hosting a bad/old rDNS/PTR record.  As a result, we started carefully looking at the headers in our emails.
I've hidden most of the actual public ips (for obvious reasons) for the example, but I am hoping someone can help me figure out either:
A) where our misconfiguration is, and how to correct it
B) if this is by design and we just need to update the PTR

Here's our set up.  2 Exchange 2010 Hub/Cas servers in a cas array.  The array has inbound and outbound NAT rules on our Sonicwall TZ210 in our datacenter.  I can resolve our "mail.domain.com" address properly.  We use Proofpoint as our SPAM filter and route all inbound and outbound mail through them.  

For reference here's the examples of the IPs we're dealing with.
Wan IP- xx.xxx.xxx.130
Exchange IP-  xx.xxx.xxx.133

When we send mail, the headers list:
Received: from mail.domain.com (xx.xxx.xxx.130."ptr record"  [xx.xxx.xxx.130] (may be forged))

I've been scratching my head trying to figure out why this lists our WAN ip when we have nat rules in place.  It also creates issues for us sending to certain domains, but not all domains.  

our send connectors properly list the "mail.domain.com" record and our Filters list both the WAN IP and the Exchange IP as "allowed relays."  I already have a call into them to see if it's a mis-configuration on their end, but I figured I'd try this group as well.

Any help would be appreciated.  I can also provide any additional info that might be helpful and forgive me if I didn't include it from jump-street.

Thanks in advance!
0
Comment
Question by:Jeremyricci
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 250 total points
ID: 38836832
Are the NAT rules 1:1 or port forwarding? That is the usual cause of these problems, as firewalls will handle them slightly differently. If you have dedicated external IP address/es for the Exchange servers, configure a 1:1 NAT, removing the port forwarding settings. Then configure a regular open port on the firewall.

Simon.
0
 
LVL 49

Assisted Solution

by:Akhater
Akhater earned 250 total points
ID: 38838254
what you have configured on your firewall should be reverse NAT that is mapping Exchange inbound IP-  xx.xxx.xxx.133 to the IP address of your antispam

however, when sending, the firewall is using the global (default) ip address xx.xxx.xxx.130
what you should do is also configure the firewall to use xx.xxx.xxx.133 for outbound when the antispam is sending email address, you can do that by configuring a 1 to 1 NAT
0
 

Author Closing Comment

by:Jeremyricci
ID: 38839645
Thank you both, this was exactly the problem.  A little extra info.  Our previous FW person, was a huge fan of using the Wizards in the Sonicwall.  However, the public server wizard does not create 1-to-1 NAT, by design.  It only creates One-to-Many NAT.  1-to-1 NAT policies need to be entered manually.  

Thanks for the shove in the right direction!
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question