Re: Message Tracking Error Message

Jason <Jason@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Thanks for taking the time respond to my question. I have read about this
being a type of Cisco PIX firewall issue everywhere. We are currently behind
a Cisco ASA 5510 firewall. All emails, leaving our domain, have the firewall
IP address. I know this is not good in practice, but I didn?t have control on
when this was setup up.

You're not delivering mail to the Cisco PIX. The issue isn't on your
end of things, it's on the receiving server's side. Their PIX has that
"mail guard" feature enabled.

Our email header reads like this:

Received: from exchsrvr01.internaldomain.com ([x.x.x.x]) x.x.x.x is the
firewall IP

Advanced Delivery = exchsrvr01.internaldomain.com

Exchsrvr01.internaldomain.com does not have a reverse pointer record.

Should I get a PTR record added for this FQDN through my ISP?

Assuming you're delivering the email directly from your machine,
what's important is the data in the HELO\EHLO command. How your
servers identify themselves inside your organization shouldn't be of
any concern to the receiving MTA because the only "Received:" header
that's trustworthy is the ones that your own MTA inserts into the
message header.

I was thinking that I need to change the ?Advanced Delivery? Fully-qualified
domain name field to our actual external domain?

That's what you should be doing.

The new received field name:

Received: from mail.externaldomain.com ([x.x.x.x])

Then place a reverse PTR record through the ISP.

That's correct.

I was think this would
resolve the logging issue as well as slow email delivery to certain domains
like gmail.com

I doubt it'll have any effect on your seeing "****" in your log files.
OTOH, if your connections are grey listed because of a missing PTR
record then the creation of the PTR record whould help.

Do you think this will be the best course of action or use the ?Masquerade
domain? field for mail.externaldomain.com?

No. I think that supplying the correct FQDN and PTR should be all that
you need to do.

BTW, if you change the FQDN on the SMTP Virtual Server don't forget to
add the matching "A" record to your internal DNS, too.

--
Rich Matheisen
MCSE+I, Exchange MVP
MS Exchange FAQ at http://www.swinc.com/resource/exch_faq.htm
Don't send mail to this address mailto:h.pott@xxxxxxxxxxxxx
Or to these, either: mailto:h.pott@xxxxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxx mailto:melvin.mcphucknuckle@xxxxxxxxxxxxxxx
.

Relevant Pages

  • RE: Security for new small company
    ... Cisco Router for your internet connection. ... Firewall 1 is expensive, and every option is an additional cost. ... Cisco Pix and FW1 top 3 firewalls. ... personal Netscape Mail account today at ...
    (Security-Basics)
  • Re: Active Sync Device Mail Fails Intermittently to One Address
    ... about every 4th time she will recieve one. ... Using a Cisco Pix Fierwall? ... Andy, thanks for your reply, and yes, does display just a string of ... And yes, we are using a Cisco firewall, it is the 5505 ASA. ...
    (microsoft.public.exchange.admin)
  • Re: Cisco PIX 515 Firewall
    ... Subject: Cisco PIX 515 Firewall ... Cisco PIX uses the ASA (adaptive security algorithm) which is basically ... Velly Velly nice firewall to work on. ... > keep-state tables to auto-pass the rest of the packets in the session. ...
    (Security-Basics)
  • Re: proper dns listings for mail servers
    ... I'd like to know what the proper DNS configuration should be. ... >Our ISP DNS has ptr record for our domain, that points to the firewall IP. ... >In looking at the message header from a message sent from our domain, ...
    (microsoft.public.exchange.admin)
  • Re: firewall recommendation
    ... > MCSE, MCT, CCNA, Exchange MVP ... >>> will remove the firewall. ... >>> Does that help or you want more specifics? ... >> used to have a Sonicwall but changed it to a Cisco PIX and separate VPN ...
    (microsoft.public.exchange.admin)