External Site resolving to WAN & not NAT??

helloworld

Dealing with SMTP issues.

I have a port & 1:1 NAT setup for an internal SMTP server (for the sake of doubling the effort)

(resolving a SPAM issue) I noticed that an external SMTP server resolved my sending Server as the WAN port on the firewall vs the NAT'd SMTP server.

WAN x.x.x.1
SMTP External x.x.x.2
SMTP internal y.y.y.2

Comcast business is the internet supplier with 13 IPs

if I nslookup my SMTP host from the outside I get the correct IP, but for some reason some SMTPs are seeing me as the WAN? Maybe as I'm connecting via that host?

muswellhillbilly

@helloworld:

if I nslookup my SMTP host from the outside I get the correct IP, but for some reason some SMTPs are seeing me as the WAN? Maybe as I'm connecting via that host?

What do you expect the correct IP to be, exactly? Externally, anyone sending email to your internal host must resolve your WAN address as the correct address to relay to, as it's the only address anyone can see outside your LAN. Your sending server will always appear as the WAN address to external receiving hosts, since it's NATing outbound from your firewall.

From what you describe, everyone outside your LAN should be seeing your sending/receiving mail host as your WAN address, otherwise you wouldn't be able to send or receive emails. So - to make a long story short - I'm not sure what the problem is your're having.

johnpoz

huh??

See what as your host wan?  So you you, so you have public IP 1.2.3.1 on your wan, you created a vip for your smtp server 1.2.3.2, you then did a 1:1 Nat to your smtp server…  Why would you not just forward ports needed to this host is another question...  1:1 is needed why exactly, smtp server normally only need 25 inbound to it..

Anyhoo..  So who exactly resolves what?  lets call your mx record smtp.yourpublicdomain.tld, this points to an A record of your what IP??  what are your ptrs for both your public 1.2.3.1 and your 1.2.3.2?  Do you have an A records that point to your 1.2.3.1?  address?

Much easier to help if you gave us your domain in question.  PM if you don't want to post public and I will take a look see at what your dns is showing.

When you send mail, what is your source IP listed on the person getting the mail.. Does it show up as your 1.2.3.1 or your .2?  Most likely you want to make sure your outbound traffic is using your vip IP of .2

helloworld

Initially the site had a linux box setup as a the network firewall, smtp, & web server. The system was under spec'd to handle the load was constantly becoming overloaded & crashing.

Plus the people who configured it were morons, as they had no NAT & had given internal servers with 3 IPs. IPv6, 192 addresses & public IPs. Basically a clusterfuck ratsnest.

As I separated the firewall & made the necessary internal routing/IP changes most everything has been running fine for awhile. But we got on an RBL list for comcast.

The linux box still runs smtp & web. But I took it's original external IP & applied that to the pfsense appliance.

I changed the MX records to point to another IP made the NAT changes. I also replaced the old smtp Qmail with Postfix. (much easier working with virtual domains)

Per muswellhillbilly I've gone & reset my MX records back to the WAN IP & setup the NAT with the WAN to Linux for port 25.

MX record = smtp.ecofront.com
WAN = 172.12.16.179
Initial =172.12.16.189 [I've reset the DNS to 179]
Internal 192.168.1.1

johnpoz

did you typo the first octet?

;; ANSWER SECTION:
ecofront.com.          7200    IN      MX      10 smtp.ecofront.com.

;; ADDITIONAL SECTION:
smtp.ecofront.com.      7200    IN      A      173.12.16.179

This really needs to be changed.

;; QUESTION SECTION:
;179.16.12.173.in-addr.arpa.    IN      PTR

;; ANSWER SECTION:
179.16.12.173.in-addr.arpa. 3600 IN    PTR    173-12-16-179-panjde.hfc.comcastbusiness.net.

your PTR should match your forward for your smtp server…

Also showing a problem connecting

Connecting to 173.12.16.179
1/21/2016 10:44:52 AM Connection attempt #1 - Unable to connect after 15 seconds. [15.03 sec]

I can get to the .189

Connecting to 173.12.16.189

220 smtp.ecofront.com ESMTP Postfix [688 ms]

So looks like inbound mail would be failing since your mx points to an IP that doesn't answer on 25..

helloworld

yes I did typo it.

I'll see if comcast can fix the PTR. Must be something on their end, as I don't use them as the DNS server

port 25 is open for pass for anyone hitting the old ip 189 & the WAN port, but I'm not seeing any logs for attemps to the wan ip.

I'm resetting to the old IP & contact comcast for their internet PTR issue

johnpoz

well your not going to be getting any mail once the ttl on your old mx expires since 25 does not seem open to your wan IP from my test.

The owner of the IP has to change the PTR.