email anti-spoofing commands for ASA?

Unanswered Question
Jun 6th, 2008
User Badges:

I have an ASA 7.2(3) with public IP mapped to internal Windows Exchange server. This is how MX record in DNS created. All internal traffic (including email) to internet goes out different public IP.

There are email servers performing anti-spoofing checks that reject email because they are not originating from MX record IP. Is there anything to add to ASA to fix this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
husycisco Fri, 06/06/2008 - 08:50
User Badges:
  • Gold, 750 points or more

Hi Craig,

If you have entered a one-to-one static NAT entry for smtp port, exchange will go outside from the public IP that the static is applied. If you forwarded port 25 to inside mail server by using PAT, you may not be able to achieve what you want. Posting related sanitized config will help us to determine more clearly.


craigvoice Fri, 06/06/2008 - 11:24
User Badges:

One-to-one static NAT for email server from public IP to private IP. This is in the dns/mx record. No PAT anywhere.

All internal traffic to internet (including emails from Outlook client) go out ASA ethernet interface (different public IP).

Farrukh Haroon Fri, 06/06/2008 - 12:30
User Badges:
  • Red, 2250 points or more

The simple solution is not to use a 'different' public-ip when sending outbound email. You are right many internet hosts will do a reverse lookup of your hostname before letting you send email (e.g hotmail/msn).

static (inside,outside) mailsrvr-pubic mailsrv-private netmask

should cover BOTH flows for all ports.

Make sure there is no other static NAT for mail server when going from inside >> internet.

Just make sure you have a Reverse PTR record for your mail-server MX record.



Amadou TOURE Fri, 06/06/2008 - 12:28
User Badges:

Is the reverse record created in the DNS server for the outgoing IP ?

husycisco Fri, 06/06/2008 - 17:10
User Badges:
  • Gold, 750 points or more


Since you have a default route to another interface than the the one that has desired public IP, and current Cisco firewall devices do not support Policy Based Routing, what you want to achieve is not possible. But here are some workarounds.

Do not use different public IP for mail server as Farrukh suggested and request for MX record change from your hosting provider.

Use a SmartHost service from an ISP or Hosting provider, configure your exchange to send and receive over that SmartHost, then add a route statement into firewall to route traffic destined to smarthost IP to the interface that has your desired public IP.



This Discussion