Reverse dns exchange problems



  • We switched to PFSense and we seem to have some problems with our mail server (exchange)
    
    Due to reverse dns spam filtering on our clients mail servers we get these mails :
    
    [code]
    
                There was a SMTP communication problem with the recipient's email server.  Please contact your system administrator.
                <ourserver.nl #5.5.0="" smtp;554="" <client@clientserver.nl="">: Recipient address rejected: This email has been rejected as the IP address does not fit the domain.>
    
    [/code]
    
    This is probably because the reverse nat isn't working? Can somebody explain exactly how this reverse dns spam check works? Any exchange experts here?
    
    I thought there was a method to put in a fqdn in the smtp server to send that with the mails (like : ourmailserver.company.com). If were to put our firewall there, would that solve this issue? I have the outbount NAT set to AUTO.</ourserver.nl> 
    


  • Use advanced outbound NAT to have the mail server use the public IP that your MX record is pointing to.
    This fixes most problems IF your reverse DNS is good.



  • Is it possible to leave it on auto outbound NAT and create a manual entry aswel?

    So click on the button at the bottom and create an entry?

    I've tried creating the entry as below :

    Mailserver pub ip/32
    Internal IP/32

    Still mail being returned with a problem with the reverse dns. Strange thing is that mxtoolbox.com shows reverse dns is ok. But it just checks if there is a record (which there is) but it probably cannot reach the actual machine.

    If I check my ipaddres on www.whatismyipaddress.com it gives me the fw ip (i did this on the mailserver). Shouldn't it show the correct pub ip after the outbound nat works?

    I tried a 1:1 NAT aswel, also no luck.

    What I'm worried about is, if I turn on manual outbound nat, I might create a situation that allot of our servers and services become unreachable since there have been auto nat entries made.

    Is there a way to check these records? Do I have any alternatives? Shouldn't 1:1 nat do the trick aswel? the auto nat function seems to work ok because we have no problems except for the mailserver.



  • You can't switch it back to Auto and expect the manual rules to work.
    Create the mapping with source and NAT address for your mailserver and make that the first AON rule.
    When you test with whatsmyip or such, you should get the correct public IP.



  • Can you tell me what to fill in exactly? (see my screenshot)

    This is the info :

    Virtual ip : 80.x.x.150
    LAN IP : 172.16.108.150
    FW IP : 80.x.x.146

    I have auto switched on, added the rule on the top of the list (above the other rules)

    And I'm still getting a .146 ip instead of the .150 (exchange server) on two different whatismyip websites.

    I've tried selecting all kind of options and ip's but still not getting anything else but .146 (fw ip)

    Do I need to remove my port forwarding on nat maybe? I don't think so cause I assume this is for outbound only?

    I've tried all possible options, would you mind looking at the screenshot above and let me know what I need to fill in where? I'm confused



  • I'm confused by your using two different subnets in your examples, so I'm going to ignore that.

    Your outbound NAT should look something like this:
    SELECTED>Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))

    WAN      172.16.108.150/32 * * * 80.x.x.150 * NO
    WAN      172.16.108.0/24    * * * * * NO

    Make sure you don't have an entry for 172.16.108.150 in 1-1 NAT.
    Your example is not correct-
    The source is the PRIVATE (LAN) IP
    Leave the destination blank.
    You should be able to pick the translation from a drop-down if you have created the VIP.



  • Ahh I mis understood.

    It seems to be working perfectly now. I did not check the manual setting.

    one last question, by setting the manual  NAT setting, will any of my servers and services not work like they are suppose too?

    I have two subnets : LAN : 10.0.0.0/8 and DMZ 172.16.108.0/24

    I've set two rules for manual nat with source LAN and DMZ and the rest empty/blank.

    See screenshot

    When using the above settings, does this mean ONLY my mailserver has a different outbound IP and the rest uses the gw ip?



  • @AudiAddict:

    When using the above settings, does this mean ONLY my mailserver has a different outbound IP and the rest uses the gw ip?

    That's correct. It matches the first rule for your mailserver, all other machines use the 'auto-created' rule which by default uses the interface IP.



  • Problem has been solved regarding the reverse dns, thanks allot for the help!

    A last question regarding the dns in general. Is it correct that the pfsense has a dns port open by standard for the wan interface? When doing a portscan I get everything " stealth" except for dns. Is there any reason why I would need the dns port open? On the firewall that is? I suppose having a portforward to the dns server is sufficient?

    Or does the firewall/gw require this port to be open to resolve hostnames for the gw/firewall?

    Is it safe enough to only set port forwarding for the virtual ip's which are needed, the rest not set = stealth/unreachable right? No need to block this in the firewall I suppose?



  • Anything not explicitly allowed is denied, so you shouldn't worry too much. DNS should show closed from the WAN. The DNS forwarder will show DNS open from the LAN side- I don't think it should show open from the WAN, but I'm not 100% sure- I generally point DNS to an internal server instead of running the forwarder…


Log in to reply