Query regarding outbound email headers

Answered Question
Jul 29th, 2010
User Badges:

Hi halijenn / experts


I am having ASA for which i have a seperate outbound mail access and the following is configured.The external interface of the firewall is 66.52.192.14.When i send the mail towards outside to @yahoo.com and then see the mail headers in the yahoo.com [i.e when i check the mail in yahoo and click on headers ), i see the Private IP Address of the organization mentioned / listed like "mxpb.akc.com (172.16.10.1)" in the "received from" field .Please let me know if this is normal ?Also , is it configurable on ASA so that it can be changed to the Public IP [ i.e MX Record ] or is it like that this behaviour totally depends on the YAHOO SMTP gateway ??


static (inside,outside) 66.52.192.15 172.16.10.1 netmask 255.255.255.255


where 172.16.10.1 is SMTP Gateway


Currently i dont have the "sh run" of the customer firewall , as soon as i get it i will post u the service-policy as well .However for the time being if u can throw the light on the same , it will be very helpful.

Correct Answer by Magnus Mortensen about 6 years 11 months ago

Ankur,

     I see in the headers that the private IP's make sense. You can see:


- MBX2 recieved it from MBX1

- MBX1 then gets it back from MBX2

- Exchange recieved it from MBX1

- Yahoo recieved it from your Exchange server


THe 172.x.x.x IPs are related to the internal communication between your servers (Exchange, MBX1 and MBX2) Yahoo does not see the internal IPs as expected. Yahoo sees it from your 67.x.x.x address. But up to this point, your internal email servers have already written the transaction logs in the email header using the IPs they saw (your internal 172.x.x.x ones). So all is normal from what I can see.


- Magnus

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nagaraja Thanthry Thu, 07/29/2010 - 06:17
User Badges:
  • Cisco Employee,

Hello,


That behavior seems to be normal. The firewall cannot change the SMTP packet contents. You could check on the mail server itself and see if there is a way to change the IP to a name (smtp.abc.com).


Hope this helps.


Regards,


NT

Jennifer Halim Thu, 07/29/2010 - 07:09
User Badges:
  • Cisco Employee,

The mail domain of "mxpb.akc.com" does not seem to resolve to anything. Are you sure that is the correct mail domain?


Here is the test that i did:

nslookup
> set type=mx
> mxpb.akc.com
*** UnKnown can't find mxpb.akc.com: Non-existent domain


Reverse lookup for the public ip address:

nslookup 66.52.192.15
Name:    66-52-192-15.phnx.mdsg-pacwest.com
Address:  66.52.192.15


And it's not something on the ASA that you can configure to change the behaviour.

Magnus Mortensen Thu, 07/29/2010 - 19:22
User Badges:
  • Cisco Employee,

Ankur,

     What do the headers look like? If the recieveing host (the one just before/after) an internal IP as well? That line would be written into the email header by some SMTP relay who actually saw that connection come from IP 172.16.0.1. What are the lines above and below that line in the headers?


- Magnus

ankurs2008 Fri, 07/30/2010 - 03:54
User Badges:

hi halijenn / NT


thanks for looking into the same . the MX record sent across by me is a sample . Actually i was concerned for the email headers in the yahoomail as

iam not sure why private IP Address are visible over there .Please let me know if the mail server MX record is required for you to resolve the issue .


Hi Magnus


thanks for looking into this . Please find attached the snapshot of the yahoomail headers .I have blurred the IPs for confidentiality purpose .There are 2 email servers 172.X.X.1 [ MBX1.plprairiewi.com] and 172.X.X.2 [ MBX2.plprairiewi.com] which are visible in the headers .The Static command in the firewall is as follows (please ignore the static statement in my first mail as i have given dummy IP and MX Record earlier for confidentiality purpose].Please let me know if same is required for us to proceed forward.


static (inside,outside) 67.X.X.94 172.16.10.1 netmask 255.255.255.255


67.X.X.93 is the firewall IP [ exchange.plprairiewi.com ]


Also i am not able to understand as to why the field " X-Originating-IP" in the header is Firewall IP Address . Ideally it should be the 67.X.X.94

Correct Answer
Magnus Mortensen Fri, 07/30/2010 - 05:05
User Badges:
  • Cisco Employee,

Ankur,

     I see in the headers that the private IP's make sense. You can see:


- MBX2 recieved it from MBX1

- MBX1 then gets it back from MBX2

- Exchange recieved it from MBX1

- Yahoo recieved it from your Exchange server


THe 172.x.x.x IPs are related to the internal communication between your servers (Exchange, MBX1 and MBX2) Yahoo does not see the internal IPs as expected. Yahoo sees it from your 67.x.x.x address. But up to this point, your internal email servers have already written the transaction logs in the email header using the IPs they saw (your internal 172.x.x.x ones). So all is normal from what I can see.


- Magnus

ankurs2008 Sat, 07/31/2010 - 01:39
User Badges:

Hi Magnus


thanks for the explanation , i just want to elaborate my understanding .please help me if i am correct


1)


MBX2 recieved it from MBX1

MBX1 then gets it back from MBX2


The above sequence happens when the user sends the packet to exchange server and it seems to be that they pass the packet to each other as may be they are in NLB / Cluster .What i want to say is that MBX2  / MBX1 are exchange servers ( i believe that they are exchange (or domino) as customer has not told me about them and i am making my assumption)


Exchange recieved it from MBX1


Your above statement refers to exchange giving the packet to SMTP Gateway (and we can alsosee from the headers that though the name is exchange.plprairiewi.com , we can see that Microsoft SMTP Service is running on the same )



2) Also i want to understand is the reason for the Public ip of the firewall rather than the static IP appearing in the mail headers

Magnus Mortensen Sun, 08/01/2010 - 15:52
User Badges:
  • Cisco Employee,

To address your concerns:  1) It looks like the first leg of the transaction is using IPv6 connectors. The the mail comes back on an IPv4 connector. This may be completely normal depending on your exchange config.  2) The external ip that the exchange will look like depends on the ip of the exchange server and any NATs or STATICs it might match. Whats is the internal IP?  - Magnus

ankurs2008 Mon, 08/02/2010 - 03:27
User Badges:

Hi


Thanks for the reply ! The IP 172.16.10.1 is the SMTP Gateway configured for Static as follows


static (inside,outside) 67.X.X.94 172.16.10.1 netmask 255.255.255.255


67.X.X.93 is the firewall IP [ exchange.plprairiewi.com ]


Hence my query is that is it possible with the above config to see the Firewall IP Address in the "X-originating-IP" field instead of the one mentioned in tje static in the email header attached to this mail .

ankurs2008 Wed, 08/04/2010 - 04:07
User Badges:

Hi Magnus


Please let me know regarding my below query

Magnus Mortensen Wed, 08/04/2010 - 04:23
User Badges:
  • Cisco Employee,

Ankurs,      What ip address does your internal exchange server have? Since the exchange server is the last one of your servers in the header, it was the server that connected out to yahoo. If you do not have a STATIC for that host (1-to1 statuc, not static PAT) then he is most likely going to hit a PAT overload translation (ya know, a nat/global pair) when he establishes an outbound connection to the internet.   - Magnus

Actions

This Discussion