Virtual IPs having emails rejected.



  • We have several have several servers that are having emails rejected by other mail servers which are performing reverse lookups.

    When we ping our the first ip in our scope we receive replys and when pinging the rest of the ip's in our scope we are receiving TTL expired in transit.

    It appears when doing a trace route that the virtual ip trace will hit our external interface and then go back to the hop before and then back to the external interface when eventually it times out.

    Any assistance would be greatly appreciated.

    JT



  • Could this be due to the source IP coming from the Interface and not from the VIP address? Try going to http://www.ipmonkey.com and checking the address. I discussed this in another post, it may be what you are looking for, even if it didn't help him out. http://forum.pfsense.org/index.php/topic,5213.msg31442.html#msg31442



  • It has nothing to do with pfsense at all. You need to get your ISP to configure appropriate reverse DNS entries for those IP's, preferably matching the A record on each IP.



  • I've seen mail get bounced because the RR did not match the originating IP of the hostname in the HELO string. But that is a good point. A check with http://www.dnsreport.com on your domain will tell you if the provider has the reverse records setup correctly.



  • Reverse DNS entries were added and verified.  Looks more like pfsense config.



  • Dotdash your 1st reply looks like you are on track and the post describes how it should be set up.

    I do find it odd when we do a trace route to the virtual ip and not the primary the trace is redirected to the hop before the primary ip and then back and forth until it times out.  It is as if the  firewall does not know it has multiple ip's assigned to it.  Mail is working and traffic is passing, but certain domains are acting as if we are spamming due to the originating ips being different.



  • Use advanced outbound NAT to force the outgoing traffic from the internal IP to the correct CARP address.



  • @sullrich:

    Use advanced outbound NAT to force the outgoing traffic from the internal IP to the correct CARP address.

    Unless you're using 1:1 NAT, in which case this should be done automatically.


Log in to reply