masquerading issue

[ssk1279]

I have a domino server hiding behind a Watchguard Firewall system.

Watchguard IP Address is 218.185.x.130/27

The DNS records of the server/Domain name points to 218.185.x.155.

Ports 25,110,1352 get NAT'd internally to 172.x.x.x

We have just discovered that emails, sent to clients of MessageLabs, are filtered/quarantined because Messagelabs attempts to cross check domain name (218.185.x.155) against source IP address 218.185.x.130.

Any ideas how to resolve this??

 

[MarkhP]

According to your IP subnet you have a range of public IP available. I am guessing that your MX record points to IP .155?. SNMP traffic outbound is go out from IP.130. We use Netscreen firewalls so they may be a bit different but if I set an public IP of .155 and MAP it to an internal ip of 172.x.x.x, mail being sent from that server shows as coming from .155 to the recipient. I think the Watchguard only allows ip-ip NAT and you may find that the only solution might be to get your MX record changed to point to .130, or change your Watchguard to use .155 as its public IP?

 

[ssk1279]

Thanks Markhp,

I changed the IP to 130, however if that fails in any way, I'll change the MX as you suggested.

 

[MarkVB]

Mark is right .. your must point your public MX to the WG external port, or another port within the (218.185.x.130/27)subnet in order for it to work corectly with NATing ..

 

[Troodos]

Or you can try ALIASING the server or add another HOST within the DNS to keep both addresses. The important issue for MessageLab and any other checking HOSTs is the SENDING IP address. In e.g. if you have 2 'logical' servers where host1.domain.name have IP x.x.x.155 and another host2.domain.name has IP x.x.x.130 this COULD be worth trying...

TrooDOS