email anti-spoofing commands for ASA?

Unanswered Question
Jun 6th, 2008

I have an ASA 7.2(3) with public IP mapped to internal Windows Exchange server. This is how MX record in DNS created. All internal traffic (including email) to internet goes out different public IP.

There are email servers performing anti-spoofing checks that reject email because they are not originating from MX record IP. Is there anything to add to ASA to fix this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
husycisco Fri, 06/06/2008 - 08:50

Hi Craig,

If you have entered a one-to-one static NAT entry for smtp port, exchange will go outside from the public IP that the static is applied. If you forwarded port 25 to inside mail server by using PAT, you may not be able to achieve what you want. Posting related sanitized config will help us to determine more clearly.

Regards

craigvoice Fri, 06/06/2008 - 11:24

One-to-one static NAT for email server from public IP to private IP. This is in the dns/mx record. No PAT anywhere.

All internal traffic to internet (including emails from Outlook client) go out ASA ethernet interface (different public IP).

Farrukh Haroon Fri, 06/06/2008 - 12:30

The simple solution is not to use a 'different' public-ip when sending outbound email. You are right many internet hosts will do a reverse lookup of your hostname before letting you send email (e.g hotmail/msn).

static (inside,outside) mailsrvr-pubic mailsrv-private netmask 255.255.255.255

should cover BOTH flows for all ports.

Make sure there is no other static NAT for mail server when going from inside >> internet.

Just make sure you have a Reverse PTR record for your mail-server MX record.

Regards

Farrukh

husycisco Fri, 06/06/2008 - 17:10

Craig,

Since you have a default route to another interface than the the one that has desired public IP, and current Cisco firewall devices do not support Policy Based Routing, what you want to achieve is not possible. But here are some workarounds.

Do not use different public IP for mail server as Farrukh suggested and request for MX record change from your hosting provider.

Use a SmartHost service from an ISP or Hosting provider, configure your exchange to send and receive over that SmartHost, then add a route statement into firewall to route traffic destined to smarthost IP to the interface that has your desired public IP.

Regards

Actions

This Discussion