emails to AOL/hotmail, etc bounce

[w4nn4b1337]

We brought up a new site about a year ago. The purpose was to provide email services and nothing else. No Internet browsing, FTP, etc. is being used on this circuit. It is strictly SMTP. The problem is in the last month or so email is not being delivered to AOL or hotmail and maybe a few more.
This is a typical configuration of a T1 circuit, Cisco ASA firewall, with a public IP with a Static NAT to our inside private exchange server. Lets say the outside IP for the firewall is 1.1.1.14 and the exchange server is using 1.1.1.15.
The problem is the email notice we recieve is saying the source address doesn't match the reverse lookup.
The address it is reporting is from our firewall outside interface 1.1.1.14.
We have checked all DNS records with a popular DNS testing website and all DNS records show the FQDN is resolving to 1.1.1.15 as it should. The reverse lookup matches the SMTP banner.
The question is if DNS is correct, SNMP banner is correct how can AOL be recieving email from 1.1.1.14 (our firewall) and not 1.1.1.15 (our exchange server) ?

 

[58sniper]

So if you look at the headers of a message that's left your environment (say, to your 'backup' GMAIL account), what's the IP listed there? If you go to

http://www.whatismyip.com/

from the Exchange server, what's listed there?

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.

http://www.ucblogs.net/blogs/exchange/

 

[w4nn4b1337]

The AOL header says 1.1.1.14 and while logged into exchange server whatismyip says 1.1.1.14.


I have a static PAT set for outside 1.1.1.15:25 to inside 192.168.0.10:25. That makes me think it is a firewall configuration issue and I need to set a outgoing static PAT rule for outgoing from 192.168.0.10 to 1.1.1.15?

 

[w4nn4b1337]

or does this mean i need to do my PAT translation on 1.1.1.14:25 to 192.168.0.10:25 and re-register my MX with the ISP?

 

[FireMike84]

w4nnb1337,

It does sounds like it is a NAT issue on your firewall. Either solutions that you have listed should work just fine. I would personally try to fix the NAT issue rather than changing my MX record with my ISP. If your NAT translation is wrong then by default it will use the Global.

static (inside, outside) 1.1.1.15 192.168.0.10 netmask 255.255.255.255

That is the statement I normally use on my PIX ASA to setup a NAT address

Hope this helps.

Mike Walton
Network+ CCENT
New Technology Articles

http://www.mikenetpc.com

 

[Treyze]

w4nnb1337,

We have run into this issue before. the address you send your email out must match the in. so in your case like FireMike84 said,
"static (inside, outside) 1.1.1.15 <==> 192.168.0.10/25"

I believe that this was set forth by anti-spam servers to validate the domain in which the address the email was sent from.

-E

 

[w4nn4b1337]

I just wanted to follow up and say this problem was resolved with a reconfiguration of NAT. It was a simple fix but I was hitting my head against the wall trying to isolate it. Thanks for the assist.

Network+ / Security+ / C|EH /CCNA
Working towards CCNP and CWNA.