Solved: Re: Cisco 5510 IP with 2 different FQDN and port 25

lawsuites · ‎01-26-2011

Hello everyone,

We have exchange and our network is configured with one IP. Problem is our ip has poor score according to senderbase.org because when they did test of our IP to check FQDN then they are seeing two different one FQDN. One is for our exchange and one is for our tenant computer. I checked my tenant computer he using outlook 2010 with mapi (some hosted solution company) and is see he sender port set to 25. Is their anyway I can block this in firewall,…I am not afraid to make changes because I don’t want our exchange to stop sending emails. Pls help, thanks.

mirober2 · ‎01-27-2011

Hi Gurpreet,

Thanks for clarifying. Since the HELO message is sent by an SMTP client, you would need to prevent the client PC from sending its own email traffic out of your network.

You could deny the client from sending TCP/25 traffic with an ACL on your inside interface, but this would prevent the client from sending email all together.

If you had a second public IP available, you could use NAT to allow your Exchange server to use 1 public IP and the client to use a different public IP.

Otherwise, you would need to reconfigure the Outlook client to relay its mail through an internal server, thus allowing only your Exchange server to send outbound email with your public IP.

Hope that helps.

-Mike

View solution in original post

mirober2 · ‎01-26-2011

Hi Gurpreet,

What exactly are you trying to block with the ASA? Are you looking to stop inbound TCP/25 connections, or change the DNS responses for the FQDNs?

-Mike

lawsuites · ‎01-26-2011

according to senderbase.org that our ip is showing to fqdn...how do i check that?

Also is thier any way i can block port 25 so our tenant can't configure his outlook with port 25. With doing this i don't want mess up my exchange email flow..

Pls advise, agian thank you very for your time.

mirober2 · ‎01-26-2011

Hi Gurpreet,

I'm still not quite sure what you mean by your first question, could you please clarify?

You can use 'nslookup' on a PC to do a reverse lookup on your IP address to see what FQDN it maps to. For example, here you can see that 4.2.2.2 maps to a FQDN of vnsc-bak.sys.gtei.net:

nslookup

> 4.2.2.2

Name: vnsc-bak.sys.gtei.net

Address: 4.2.2.2

As for your second question, TCP port 25 can be blocked using an access-list on the ASA. For example:

access-list deny tcp any host eq 25

access-group in interface

Hope that helps.

-Mike

lawsuites · ‎01-27-2011

Thanks for the info. Mike,

My first question: according to senderbase.org our exhange ip has poor score and the reasson they gave me:

"

Our most recent data received show the following:

ip ts helo

111.111.11.11 1/24/2011 11:31:32 exchange.domain.com

111.111.11.11 1/24/2011 12:40:04 userpc

111.111.11.11 1/24/2011 12:40:06 userpc

it seems that there is a machine that is sending with an improper HELO, mismatched with the FQDN."

I would like to do the above helo test but i am not sure how to do it. Aslo how to fix this.

mirober2 · ‎01-27-2011

Hi Gurpreet,

Thanks for clarifying. Since the HELO message is sent by an SMTP client, you would need to prevent the client PC from sending its own email traffic out of your network.

You could deny the client from sending TCP/25 traffic with an ACL on your inside interface, but this would prevent the client from sending email all together.

If you had a second public IP available, you could use NAT to allow your Exchange server to use 1 public IP and the client to use a different public IP.

Otherwise, you would need to reconfigure the Outlook client to relay its mail through an internal server, thus allowing only your Exchange server to send outbound email with your public IP.

Hope that helps.

-Mike

lawsuites · ‎02-06-2011

Mike thank you very much.