Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

email anti-spoofing commands for ASA?

I have an ASA 7.2(3) with public IP mapped to internal Windows Exchange server. This is how MX record in DNS created. All internal traffic (including email) to internet goes out different public IP.

There are email servers performing anti-spoofing checks that reject email because they are not originating from MX record IP. Is there anything to add to ASA to fix this?

5 REPLIES

Re: email anti-spoofing commands for ASA?

Hi Craig,

If you have entered a one-to-one static NAT entry for smtp port, exchange will go outside from the public IP that the static is applied. If you forwarded port 25 to inside mail server by using PAT, you may not be able to achieve what you want. Posting related sanitized config will help us to determine more clearly.

Regards

New Member

Re: email anti-spoofing commands for ASA?

One-to-one static NAT for email server from public IP to private IP. This is in the dns/mx record. No PAT anywhere.

All internal traffic to internet (including emails from Outlook client) go out ASA ethernet interface (different public IP).

Re: email anti-spoofing commands for ASA?

The simple solution is not to use a 'different' public-ip when sending outbound email. You are right many internet hosts will do a reverse lookup of your hostname before letting you send email (e.g hotmail/msn).

static (inside,outside) mailsrvr-pubic mailsrv-private netmask 255.255.255.255

should cover BOTH flows for all ports.

Make sure there is no other static NAT for mail server when going from inside >> internet.

Just make sure you have a Reverse PTR record for your mail-server MX record.

Regards

Farrukh

New Member

Re: email anti-spoofing commands for ASA?

Is the reverse record created in the DNS server for the outgoing IP ?

Re: email anti-spoofing commands for ASA?

Craig,

Since you have a default route to another interface than the the one that has desired public IP, and current Cisco firewall devices do not support Policy Based Routing, what you want to achieve is not possible. But here are some workarounds.

Do not use different public IP for mail server as Farrukh suggested and request for MX record change from your hosting provider.

Use a SmartHost service from an ISP or Hosting provider, configure your exchange to send and receive over that SmartHost, then add a route statement into firewall to route traffic destined to smarthost IP to the interface that has your desired public IP.

Regards

263
Views
0
Helpful
5
Replies