Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
602
Views
0
Helpful
5
Replies

email anti-spoofing commands for ASA?

craigvoice
Level 1
Level 1

‎06-06-2008 08:40 AM - edited ‎03-11-2019 05:56 AM

I have an ASA 7.2(3) with public IP mapped to internal Windows Exchange server. This is how MX record in DNS created. All internal traffic (including email) to internet goes out different public IP.

There are email servers performing anti-spoofing checks that reject email because they are not originating from MX record IP. Is there anything to add to ASA to fix this?

Labels:
0 Helpful
5 Replies 5

husycisco
Level 7
Level 7

‎06-06-2008 08:50 AM

Hi Craig,

If you have entered a one-to-one static NAT entry for smtp port, exchange will go outside from the public IP that the static is applied. If you forwarded port 25 to inside mail server by using PAT, you may not be able to achieve what you want. Posting related sanitized config will help us to determine more clearly.

Regards

0 Helpful

craigvoice
Level 1
Level 1
In response to husycisco

‎06-06-2008 11:24 AM

One-to-one static NAT for email server from public IP to private IP. This is in the dns/mx record. No PAT anywhere.

All internal traffic to internet (including emails from Outlook client) go out ASA ethernet interface (different public IP).

0 Helpful

Farrukh Haroon
VIP Alumni
VIP Alumni
In response to craigvoice

‎06-06-2008 12:30 PM

The simple solution is not to use a 'different' public-ip when sending outbound email. You are right many internet hosts will do a reverse lookup of your hostname before letting you send email (e.g hotmail/msn).

static (inside,outside) mailsrvr-pubic mailsrv-private netmask 255.255.255.255

should cover BOTH flows for all ports.

Make sure there is no other static NAT for mail server when going from inside >> internet.

Just make sure you have a Reverse PTR record for your mail-server MX record.

Regards

Farrukh

0 Helpful

Amadou TOURE
Level 1
Level 1
In response to husycisco

‎06-06-2008 12:28 PM

Is the reverse record created in the DNS server for the outgoing IP ?

0 Helpful

husycisco
Level 7
Level 7
In response to Amadou TOURE

‎06-06-2008 05:10 PM

Craig,

Since you have a default route to another interface than the the one that has desired public IP, and current Cisco firewall devices do not support Policy Based Routing, what you want to achieve is not possible. But here are some workarounds.

Do not use different public IP for mail server as Farrukh suggested and request for MX record change from your hosting provider.

Use a SmartHost service from an ISP or Hosting provider, configure your exchange to send and receive over that SmartHost, then add a route statement into firewall to route traffic destined to smarthost IP to the interface that has your desired public IP.

Regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card