topic Re: NAT rule best practice for a mail server? in General Topics

NAT rule best practice for a mail server?

OMatlock — Tue, 11 Dec 2018 18:28:02 GMT

Hello folks,

We changed our public ips recently and we have a few recipeints that are blocking our new mail IP. I am suspecting has something to do with either our TXT (SPF) record or the fact that we are using a destination NAT rule instead of bi-directional.

I've included a diagram and notes below, but trying to get some feedback on what the problem might be and if there is a general best practice based on experience.

In general: I am thinking that we should make our NAT rule bi-directional so that it's source IP when initating to internet from mail server is the assigned IP rather than the general NAT IP/Port to the firewall interface.

Any comments or feedback?

Using nslookup MX record return correctly as assigned IP: 96.68.102.139.

Also trying to get feedback from technet.

https://social.technet.microsoft.com/Forums/office/en-US/2e3def39-3f37-4883-a21a-182fc57dfa6f/exchange-server-error-client-host-rejected-cannot-find-your-reverse-hostname-public-ip?forum=exchangesvrsecuremessaging#2e3def39-3f37-4883-a21a-182fc57dfa6f

Re: NAT rule best practice for a mail server?

BPry — Tue, 11 Dec 2018 18:55:20 GMT

@OMatlock,

While I would generally run SMTP servers with a bi-directional, this is far from a requirement. It really looks like you got assigned a bad IP. Go through Office's IP Delist process and get your IP removed from the Anti-Spam list; I bet when it gets removed you'll find everything works fine.

Re: NAT rule best practice for a mail server?

Raido_Rattameister — Tue, 11 Dec 2018 21:01:39 GMT

Many spam filters do reverse dns lookup and if IP does not resolve back to correct domain then they flag email as spam.

Ask ISP to update reverse dns information.

Re: NAT rule best practice for a mail server?

khsieh — Wed, 12 Dec 2018 06:05:32 GMT

Bi-directional NAT would be simpler. Your HELO should match DNS in both directions, in additional be listed in your SPF record. It is also possible that your IP is blacklisted.

Re: NAT rule best practice for a mail server?

OMatlock — Wed, 12 Dec 2018 15:29:43 GMT

Thanks for the feedback.

Yea, in our Exchange server there is a message:

"Client host rejected: cannot find your reverse hostanme [96.68.102.140]"

The Client here is one of our customers that is rejected our email. The IP shown above is the outbound source IP based on our general internet access IP and port address, not the mail assigned IP of .139.

Does it still sound like just an ISP/DNS update problem?

I am trying to determine if our firewall rule needs to change, TXT record, or other.

Re: NAT rule best practice for a mail server?

Raido_Rattameister — Wed, 12 Dec 2018 15:39:06 GMT

Set up your SNAT and DNAT rules so that incoming and outgoing email would go out from same public IP.

Or set up SNAT as bi-directional.

Neither of those IPs you mentioned resolve to anything reasonable.

You have to ask your ISP to update reverse DNS record for the IP where emails are going out from.

Reverse DNS has to resolve to email domain.

C:\>ping -a 96.68.102.139

Pinging 96-68-102-139-static.hfc.comcastbusiness.net [96.68.102.139] with 32 bytes of data:

C:\>ping -a 96.68.102.140

Pinging 96-68-102-140-static.hfc.comcastbusiness.net [96.68.102.140] with 32 bytes of data:

Re: NAT rule best practice for a mail server?

OMatlock — Wed, 12 Dec 2018 15:41:17 GMT

Thank you for that @Raido_Rattameister

I should have mentioned that I am using example IPs so not to disclose our real ones.

Sorry about that...

Thanks again, I will follow up with your suggestions.

Re: NAT rule best practice for a mail server?

OMatlock — Thu, 13 Dec 2018 16:59:22 GMT

@Raido_Rattameister

@khsieh

@BPry

Y'all were right. Needed to create new PTR records with new ISP. Once I did that, our TXT (SFP) is passing.

I also did change our Mail server NAT rule to bi-directional.

I learn so much for you all, thank you!!!