Inconsistent DNS Causes mail issues.
My collegue sent me this screenshot... And asked me to solve it! Nevertheless, I'm unsure of what to do. Also, he is interrupting my studies for CCDA! Anyhow, if we get the hold of this, I learn something. Anyone got any idea? Please also explain the mechanics behind this.
A symptom from this problem is that we cant mail to some clients.
A symptom from this problem is that we cant mail to some clients.
CCNA, CCNA:Sec, Net+, Sonicwall Admin (fwiw). Constantly getting into new stuff.
Comments
-
saspro
Member Posts: 114
This one is easy.
Your DNS records are pointing to one IP address and you're actually sending out to the world from another IP address.
You need to do the following:
Configure your firewall to send smtp traffic from your email server to send out via 217.76.81.2
Your rDNS is already setup on this IP so shouldn't take too long
FCrDNS test result:
217.76.81.2 resolved to exchange02.ab1.se.
exchange02.ab1.se resolved to 217.76.81.2;
rDNS if forward confirmed. -
pham0329
Member Posts: 556
^^ what he said. A lot of email servers uses the ptr record to verify the email source, and to ensure it wasn't spoofed. If you receive email from @mail.com, and it's from 1.1.1.1, but when you do a reverse lookup, @mail.com has a ptr record of 2.2.2.2, depending on how you mail server is configured, it may reject the message. -
Morty3
Member Posts: 139
It is already set up like that, saspro. Email traffic from our Exchange Server is translated to .2.
Thanks for the help, also.
CCNA, CCNA:Sec, Net+, Sonicwall Admin (fwiw). Constantly getting into new stuff. -
undomiel
Member Posts: 2,818
But is the outbound nat policy using the same address? Your screenshot just shows inbound.Jumping on the IT blogging band wagon -- http://www.jefferyland.com/ -
saspro
Member Posts: 114
But is the outbound nat policy using the same address? Your screenshot just shows inbound.
This^^^^^ -
it_consultant
Member Posts: 1,903
But is the outbound nat policy using the same address? Your screenshot just shows inbound.
This bit me once. I had the inbound come in through a different IP than it was sending from. You can do this, you just have to remember to match your PTR record to whatever IP the thing is sending FROM. Otherwise spam filters will not like you. It is better than having no PTR at all. -
jibbajabba
Member Posts: 4,317 ■■■■■■■■□□
It is already set up like that, saspro. Email traffic from our Exchange Server is translated to .2.
Thanks for the help, also.
Make sure you got a reflexive policy setup .. only the NSA series got that magic tickbox. You seem to have a PRO which doesn't do that ...
Simply go to http://www.whatsmyip.org/ from the server and see if the public IP matches or whether it shows the firewalls IP or not.My own knowledge base made public: http://open902.com
-
undomiel
Member Posts: 2,818
A reflexive policy can be done with any SonicWall (barring that abomination Standard OS) it is just a checkbox that is available only when first creating the policy. When the policy has already been created and you're just editing the policy it disappears.Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
-
Chivalry1
Member Posts: 569
Also check to see if you have two nic cards on this server. But likely its the outbound NAT address. Not sure of your setup but make sure the policy has synced across all Firewalls."The recipe for perpetual ignorance is: be satisfied with your opinions and
content with your knowledge. " Elbert Hubbard (1856 - 1915) -
Morty3
Member Posts: 139
But is the outbound nat policy using the same address? Your screenshot just shows inbound.
Hahaha, I bet this was it! In SonicOS, the default is to create a reflexive policy. However, someone must have unchecked that box. There was no outbound NAT policy for this!
What a failure for me not to notice this. Fixed it now.
Thanks everyone, hopefully this is solved.CCNA, CCNA:Sec, Net+, Sonicwall Admin (fwiw). Constantly getting into new stuff.