Solved

Changing MX record to office without Barracuda Spam Filter - I need to route traffic through MPLS to office with Spam filter.

Posted on 2013-06-07
19
970 Views
Last Modified: 2013-06-21
Dear Experts,

I need to route email coming from the outside thought the MPLS network to another office. I am wondering what I need to keep in mind for this to work.

Here is the situation:

     I am changing the MX record to another office that has a ASA 5510 firewall. There is no Spam Filter there. The Barracuda Spam Filter is in a office that will have its internet temporary down. Keep in mind that their is a MPLS network between offices still working at all times.

So it needs to work like this:

eMail traffic ----> Office "A" ASA firewall points to Barracuda  in Office "B" connecting through the MPLS network.

The exchange servers have a connector in between. There are two MS exchange servers 2010. One in each office.

I need to make the office "B" barracuda take traffic coming over the MPLS network from office "A".

The MX record right now points to barracuda.company.com with IP that will no longer be available.


Is that possible?

Thanks, M
0
Comment
Question by:marceloNYC
  • 12
  • 7
19 Comments
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You need to setup a virtual IP mapping from officea to exchangeIp in officeB
OfficeA 192.168.10.0/24
OfficeB 192.168.20.0/24

192.168.10.24 <=> 192.168.20.25(barracuda IP) the difficulty is that your barracuda appliance will see this traffic coming in on the trusted side and may have a different ruleset versus if it was seeing the traffic through its external interface.

OfficeA WAn port forward 25 => 192.168.10.24

Add to the existing Mail.yourdominan.com host officeA WAN IP
Or dfeine mail2 and add it as a higher number (lower preference MX) pointing to mail2.
When the officeB connection recovers, the traffic will start flowing through it.


Depending on the length of your planned outage, sending mailservers will often queue up emails for a few days that will be delivered when the connection is reestablished.
0
 

Author Comment

by:marceloNYC
Comment Utility
I have no idea why when I unplug the internet for our office B  where the Barracuda is the office A MX record should take over. The Barracuda is not getting the emails from office A. They do ping each ether. I did the NAT to port 25. The Barracuda is not receiving any email traffic. I am looking at the message log and is inactive. I plug the internet back on in office B and the emails start coming in again. It must be an internal routing issue between Office A and Office B.

Here is and SMTP test for Office B:

220 barracuda.ourcompany.com ESMTP (3c6cecde6efad6430bd9d91b158eef11) [4540 ms]
EHLO please-read-policy.mxtoolbox.com
250-barracuda.ourcompany.com Hello mxtb-pws3.mxtoolbox.com [64.20.227.133], pleased to meet you
250-SIZE 100000000
250-PIPELINING
250 8BITMIME [874 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 Sender <supertool@mxtoolbox.com> OK [655 ms]
RCPT TO: <test@example.com>
550 No such domain at this location [655 ms]
QUIT

SendSMTPCommand: You hung up on us after we connected. Please whitelist us. (connection lost)

MXTB-PWS3v2 7660ms

Result for office A:

SendSMTPCommand: You hung up on us after we connected. Please whitelist us. (connection lost)

MXTB-PWS3v2 15444ms

So if I can get the same result from office B in office A that will be a success. I am trying to reorganize a difficult routing network setup between both offices.

What is happening I think is that Office B goes to to office A with a route using the IP FLEX or lets call it the point to point line with AT&T and Office A comes to office B with another routing path over the VPN tunnels. I know this from running the "traceroutes" in both sides. That is the only thing I can imagine is causing this issue.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
MX records are not an active participant.  The email flow is determined by the sending mail server. And they will attempt to contact the primary MX. When that fails they reschedule the delivery of the message to later at which point they should connect to the secondary MX, tershiery, etc. The transition is not immediate.
It is not, oops the primary is down, let me connect to the next one and attempt delivery right away.

Does office A have a DNS record that points to the baracuda on a internal path?
i.e. domain.com MX 0 mail.domain.com.
mail A publicIP siteB
mail A publicIP SiteA
mail A internalIP_between_site_a_and_site_B
?
0
 

Author Comment

by:marceloNYC
Comment Utility
Good questions!!!! let me get to it will get back to you soon.
0
 

Author Comment

by:marceloNYC
Comment Utility
If I am to run an nslookup internally for barracuda2.domain.com and barracuda.domain.com i should be resolving to the external address correct?
0
 

Author Comment

by:marceloNYC
Comment Utility
Answering: Does office A have a DNS record that points to the baracuda on a internal path?

Yes!
0
 

Author Comment

by:marceloNYC
Comment Utility
Question once i get the DNS correctly in the Internal servers for the scond MX record. I should be able to establish the SMTP dialog that I need right?
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Yes, barracuda may have a restriction from which IPs it will accept a connection.
Barracuda needs to have a path back.
Is your barracuda setup in a DMZ?

Telnet internaIPbaracuda 25
0
 

Author Comment

by:marceloNYC
Comment Utility
I can telnet from office A to the Barracuda using port 25 no problems. I wonder how I can check the way back with port 25 for the barracuda.

 traceroute 172.16.8.225 port 25 << from office A firewall cisco ASA

Type escape sequence to abort.
Tracing the route to 172.16.8.225

 1  172.16.102.2 0 msec 0 msec 0 msec
 2  10.255.255.10 40 msec 40 msec 30 msec
 3  10.255.255.13 100 msec 60 msec 60 msec
 4  OFFICE B barracuda (172.16.8.225) 50 msec 70 msec 60 msec
 #
The Barracuda is dropping the conversation for some reason. I also turn off in the ASA firewall fixup protocol for port 25.

220 barracuda.domain.com ESMTP <-- I need that to happen from

barracuda2.domain.com

I think I got the internal DNS okay for the Barracuda. I will like to know how I can confirm that smtp traffic is passing through between offices with no problems.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 76

Expert Comment

by:arnold
Comment Utility
from siteA
telnet baracudaInternalIP 25

ehlo <yoursystemname i.e. workstation.domain.com>
mail from: <youremailaddress>
rcpt to: <youremailaddress>
data
From: <youremailaddress>
To: <youremailaddress>
Subject: testing internal connection mail exchange

Test
.
quit

you should reveive a 250 for ehlo, mail and rcpt means proceed.
To the data command, you should receive a 354.
When you type in the single period on a line, it will be interpreted as the end of message and you should receive a 250 that your message was accepted.  anything else, please post.

Check the logs on your siteA mailserver to see what was going on when it was trying to connect.
0
 

Author Comment

by:marceloNYC
Comment Utility
Router Office A#telnet 172.16.8.225 25
Trying 172.16.8.225, 25 ... Open
220 barracuda.domain.com ESMTP (3c6cecde6efad6430bd9d91b158eef11)
ehlo me.domain
250-barracuda.domain.com Hello me.domain[10.255.255.9], pleased to meet you
250-SIZE 100000000
250-STARTTLS
250-PIPELINING
250-8BITMIME
250 HELP
 
mail from: me@domain.com
500 Syntax error, command unrecognized
mail from: me
500 Syntax error, command unrecognized
421 too many errors
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
You may need to use the specific format also note that you can not backup.
There might be issues with the the return.  instead of enter, try ctrl-J
mail from: <emailaddress>
0
 

Author Comment

by:marceloNYC
Comment Utility
I cannot get it in my head why the 200 banner is not working for the second MX record. I get it internally no problems from outside not. I think is got to do as you said with the internal DNS.

Here this is what I get from the outside using http://mxtoolbox.com:

This is the one that is working

SMTP Reverse Banner Check       OK - 98.xx.yy.249 resolves to barracuda.domain.com
SMTP Reverse DNS Mismatch       OK - Reverse DNS matches SMTP Banner       
SMTP TLS       Warning - Does not support TLS.       
SMTP Connection Time       0.702 seconds - Good on Connection time       
SMTP Open Relay       OK - Not an open relay.       
SMTP Transaction Time       2.870 seconds - Good on Transaction Time

220 barracuda.domain.com ESMTP (3c6cecde6efad6430bd9d91b158eef11) [640 ms]
EHLO please-read-policy.mxtoolbox.com
250-barracuda.domain.com Hello mxtb-pws3.mxtoolbox.com [64.20.227.133], pleased to meet you
250-SIZE 100000000
250-PIPELINING
250 8BITMIME [874 ms]
MAIL FROM: <supertool@mxtoolbox.com>
250 Sender <supertool@mxtoolbox.com> OK [640 ms]
RCPT TO: <test@example.com>
550 No such domain at this location [640 ms]
QUIT

SendSMTPCommand: You hung up on us after we connected. Please whitelist us. (connection lost)

MXTB-PWS3v2 3526ms



This is from the one NOT working:



SMTP Reverse Banner Check       OK - 12.xx.xx.118 resolves to 118.xx.yy.12.in-addr.arpa, barracuda2.domain.com <-- this one is okay
SMTP Reverse DNS Mismatch       Warning - Reverse DNS does not match SMTP Banner       
SMTP TLS       Warning - Does not support TLS.       
SMTP Server Disconnected       Server disconnected before banner was complete.       
 

SendSMTPCommand: You hung up on us after we connected. Please whitelist us. (connection lost)

MXTB-PWS3v2 15350ms

here is the problem I think: Reverse DNS matches SMTP Banner

I read this could be the fix for this issue:



Configure SMTP banner Exchange 2007/2010

1. Open the Exchange management console.
2. Select the Organisation Configuration container.
3. Select Hub Transport container.
4. On the right select the Send Connectors tab.
5. Right click your send connector and select properties.
6. On the General tab under the Set the Fully Qualified Domain Name (FQDN) this connector will… type the A record domain name you created. Which in our case is mail.yourdomain.com. Click OK.
7. Under the Server Configuration container click the Hub Transport container.
8. In the Right window Select the properties of the Receive Connector under Receive Connectors tab.
9. On the General tab under the Set the Fully Qualified Domain Name (FQDN) this connector will… type the A record domain name you created. Which in our case is mail.yourdomain.com. Click OK.


When I enter the email server as a fully qualified Domain name in the send connector it gave me a WARNING that was not in Active Directory. When I run the nslookup it resolves fine.

"the source transport servers specified for the connector aren't in the same site Active directory site"

Thanks!
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
In the test you must use your own domains.  Your test is not to relay through bracuda's appliance but to deliver an email destined to your domain via a different path.

i.e. you have the preferred road which always goes to point B

internet anypoint  -> point B

Now you are trying to achieve a failover of the email when internet to point B path is obstructed
internet anypoint -> Point A ->internally Point B.

You have a validation check you might have to on your internal server reference both internal and external IPs associated with the name
baracuda.domain.com A 12.x.x.x
baracuda.domain.com A 192.168.x.x
192.168.x.x must point back to baracuda.domain.com as well.

This is a result of an anti-spam mechanism.


I am unclear when you post what works and when it does not, what or where you are testing. Is it an internal tool to exchange?

You might want to exempt the internal IP of the baracuda from the anti-spam/banner verification mechanism if available.
0
 

Author Comment

by:marceloNYC
Comment Utility
I think that my problem is with ESMTP from the cisco ASA firewall in office A. My problem now is that I see both firewalls configure the same without ESMTP filtering.
0
 
LVL 76

Accepted Solution

by:
arnold earned 500 total points
Comment Utility
To change the behavior of the mail server, look at whether you can alter the greeting from ehlo (ESMTP) to helo (SMTP)
0
 

Author Comment

by:marceloNYC
Comment Utility
okay will look into it.
0
 

Author Comment

by:marceloNYC
Comment Utility
I've requested that this question be closed as follows:

Accepted answer: 0 points for marceloNYC's comment #a39254913

for the following reason:

I  learned that the internet traffic between offices had to be allow by AT&T. They had to allow all traffic 0.0.0.0. It was an internal BGP thing between offices.

 Everything was fine in the firewall, it was just that the Barracuda was not able to respond back.

Thanks for your time with this arnold.
0
 

Author Closing Comment

by:marceloNYC
Comment Utility
I learned that the internet traffic between offices had to be allow by AT&T. They had to allow all traffic 0.0.0.0. It was an internal BGP thing between offices.

 Everything was fine in the firewall, it was just that the Barracuda was not able to respond back.

Thanks for your time with this arnold.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

From Coral's  "So You Want To Play With Computers" Series Preface: What follows is a tweaked reprint from 2005/06. This is a True Story. The names have been changed to protect the guilty. While this deals with a fairly simple, text file recovery…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now