Solved

Emails originating from wrong public IP

Posted on 2014-07-27
13
552 Views
Last Modified: 2014-07-28
Hello,

Recently my company has purchased a Zix email encryption gateway. We have added the A, MX and PTR records successfully (Verified with mxtoolbox). To switch between Exchange and Zix simply requires changing the send connector.

Before changing the send connector; Headers correctly show the origination IP - .44 (Our exchange server)
After changing the send connector; Header incorrectly show the originating IP - .2 (Our Sonicwall)

Email flows fine - But because the originating IP in the header is showing our Sonicwall (.2) and not Zix (.88) our emails bounce back from Barracuda and McAfee secured domains.

I've recently changed the send connector back to not use Zix until I can figure out how to correct the header information on emails going through the Zix gateway.

Could someone tell me - In order to change the originating IP in the email header is there a change needed to be made to Exchange or the Sonicwall - And how to do so would be very helpful.

Public IPs end in:
Firewall -               .2
Exchange 2010 -   .44
Zix Gateway -        .88


Thanks!
0
Comment
Question by:RISLA
  • 7
  • 6
13 Comments
 
LVL 1

Expert Comment

by:mcammidge
ID: 40223635
Few things to check. Did the send connector use a smart host prior to the change? If so the NAT on the sonic wall might be configured with that smarthost destination so that it only NATs the server .44 when traffic is going to that old smarthost, if thats the case edit the NAT rule with the new smarthost.

Or did you create a new send connector?

Mark
0
 

Author Comment

by:RISLA
ID: 40223959
Thanks for the reply!

Prior to the change, "Use DNS MX records to route mail automatically" was checked off.

We edited the send connector to instead use "Route mail through the following smart hosts:" and added the new IP (.88)
0
 
LVL 1

Expert Comment

by:mcammidge
ID: 40224013
The .88 ip is that a cloud server or in your network?
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:RISLA
ID: 40224017
It's in my network.
0
 
LVL 1

Expert Comment

by:mcammidge
ID: 40224025
So the email leaves your network via the .88 box. If you goto whatismyip.com on exchange and the .88 can you confirm what ip shows on each?
0
 

Author Comment

by:RISLA
ID: 40224045
Exchange is showing .44

Zix is a UNIX based system.
- I set the private IP on initial setup, and then set up a NAT: 192.x.x.88 ==> 98.x.x.88

The IP can be confirmed because without the NAT,    The public IP doesn't respond to ping.
0
 
LVL 1

Expert Comment

by:mcammidge
ID: 40224235
Can you paste your NAT rules (taking out some of the IP as you did above for security)
0
 

Author Comment

by:RISLA
ID: 40224308
0
 

Author Comment

by:RISLA
ID: 40224309
Zix has an identical rule. Just different IP
0
 
LVL 1

Accepted Solution

by:
mcammidge earned 500 total points
ID: 40224453
Thats your incoming nat. You need a rule to translate your outgoing. As your .88 server is sending email now youll need to NAT that to use .44 when destination port is 25. Please check there is probably a rule already making traffic source from 192.x.x.44 translated source 98.x.x.44 that is making your exchange use this on outbound connections
0
 

Author Comment

by:RISLA
ID: 40224679
mcammidge, I think you just saved my life.

I'm so used to only NATing inbound I looked right past it.

Waiting on confirmation that we're no longer being blocked, but sent myself a test message and the header read .88

I will mark this question as soon as I get confirmation. THANK YOU!
0
 
LVL 1

Expert Comment

by:mcammidge
ID: 40224681
No problem. NAT can be a pain! Hope all goes well

Mark
0
 

Author Closing Comment

by:RISLA
ID: 40225246
Mcammidge stuck with me until the end. Huge help, definitely wouldn't have seen the NAT was inverted without him.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question