How to determine destination IP when setting up firewall outbound port 587?

I need to open up port 587 on my firewall for a custom program that sends out e-mails to a few people outside the organization. However, it seems that the destination IP address that the vendor that made the program insists is correct does not work when I set up the firewall rule. If I open up full port 587 outbound access though, the e-mails goes through fine.

If I wanted to figure out the correct destination IP address, would I be able to do this on my own? I know the domain that the e-mails are sent to, and when looking up this info, it seems that they may have mail hosted by Rackspace. Does this mean that I should add the Rackspace MX record IPs as my destination address?
ruhkusAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris DentPowerShell DeveloperCommented:
No, not really.

This is a hard question to answer, you need to add the servers you expect to send mail to, that they're in rackspace doesn't necessarily mean they have anything to do with rackspace's MX record. After all, that only determines what happens if mail is sent to rackspace themselves.

If the one the vendor supplied you with is incorrect you can either use the one you've found by watching the sessions and assume that's the extent of it, or get the recipient domain and look-up the MX record for that, or bounce it back to the vendor as "well, it's wrong, please supply the correct value".

Chris
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simon Butler (Sembee)ConsultantCommented:
Rackspace will have their own MX records. If the application is on a dedicated server then it will be using different addresses. It could be MX records for their own domain, in which case looking up the MX records for their domain might give you the correct information.

What I would probably do is enable logging for that port on your firewall. Send out an email and see what it connects to. Then compare it to what you have been told by the vendor.

Simon.
0
ruhkusAuthor Commented:
It looks like it's connecting to multiple addresses that translate back to secure.emailsrvr.com (Rackspace). I guess my options are to add all the IP ranges for Rackspace to my firewall, or just allow full outbound access for port 587. We don't need to be ultra secure here, but is it generally at least somewhat ok to allow full outbound access on port 587?
0
Simon Butler (Sembee)ConsultantCommented:
Can you restrict who has the ability to use the port?
The biggest problem with allowing the port is that it could allow an end user to send email via a personal email account. Therefore if you can restrict which machines can make the external connection, then that would be better from a security point of view.

Simon.
0
Chris DentPowerShell DeveloperCommented:
Agreed, restrict the source IP for the rule if you can and perhaps have someone check that the mail server cannot be used as an open relay (or flag that as a risk).

Chris
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.