Avatar of ruhkus
ruhkus
 asked on

How to determine destination IP when setting up firewall outbound port 587?

I need to open up port 587 on my firewall for a custom program that sends out e-mails to a few people outside the organization. However, it seems that the destination IP address that the vendor that made the program insists is correct does not work when I set up the firewall rule. If I open up full port 587 outbound access though, the e-mails goes through fine.

If I wanted to figure out the correct destination IP address, would I be able to do this on my own? I know the domain that the e-mails are sent to, and when looking up this info, it seems that they may have mail hosted by Rackspace. Does this mean that I should add the Rackspace MX record IPs as my destination address?
Email ProtocolsEmail ServersEmail Clients

Avatar of undefined
Last Comment
Chris Dent

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Chris Dent

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Simon Butler (Sembee)

Rackspace will have their own MX records. If the application is on a dedicated server then it will be using different addresses. It could be MX records for their own domain, in which case looking up the MX records for their domain might give you the correct information.

What I would probably do is enable logging for that port on your firewall. Send out an email and see what it connects to. Then compare it to what you have been told by the vendor.

Simon.
ruhkus

ASKER
It looks like it's connecting to multiple addresses that translate back to secure.emailsrvr.com (Rackspace). I guess my options are to add all the IP ranges for Rackspace to my firewall, or just allow full outbound access for port 587. We don't need to be ultra secure here, but is it generally at least somewhat ok to allow full outbound access on port 587?
SOLUTION
Simon Butler (Sembee)

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
Chris Dent

Agreed, restrict the source IP for the rule if you can and perhaps have someone check that the mail server cannot be used as an open relay (or flag that as a risk).

Chris
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy