Has any successfully implemented this? I am trying to use this technique for 2 public exchange server ips. So far the email sending ip address is always the wan facing nic address. I am using the smtp proxy without transparent mode and no check on outbound sends.
Kb referenced here;
Product Version: Astaro Security Gateway V6
Astaro Security Gateway V7
Symptom:
When using multiple IP addresses on the external interface in combination with the SMTP proxy of Astaro Security Linux, sometimes outgoing mail is bounced back to the sender with the recipients location complaining that sender verify failed or DNS records do not match correctly for the sending domain.
Cause:
Usually the LAN or DMZ that contains the mail server has a masquerading rule applied. If the mail server's MX record is resolving to one of the aliased addresses, this means that the mail is being delivered to say 1.1.1.7 for the domain, but outgoing mail is being masqueraded to the main external address of the firewall, and as such appears to come from 1.1.1.5, which causes the outgoing IP address of .5 not to match with the .7 address located in the MX record. This inconsistency can trigger various implementations of Sender Address Verification (SAV) at the recipient end, which requires the MX record match the sending IP address.
Additional issue can arise when using outbound scanning or transparent smtp proxy setting. In this case the ASG SMTP proxy will always use the public interface address.
Resolution:
The solution here is to add an SNAT rule to translate outgoing SMTP traffic from the mail server to the correct alias so the MX record matches.
V6:
To accomplish this, do the following from WebAdmin:
1) Go to 'Network'-->'Nat/Masquerading'
2) Type a rule name and select 'DNAT/SNAT' for the rule type.
3) For the 'Source address' pick the definition for your internal mail server.
4) For the destination, select 'any'.
5) Service is 'SMTP'.
6) Under the section labeled 'Change Source to:', select the Alias Interface you wish to translate the traffic to (such as the .7 IP for our example)
7) No changes are needed under the 'Change Destination to:' section.
8) Save and toggle the rule on.
For outbound scanning or transparent proxy enabled:
1) Go to 'Network'-->'Nat/Masquerading'
2) Type a rule name and select 'DNAT/SNAT' for the rule type.
3) For the 'Source address' pick the definition for your External(address)
4) For the destination, select 'any'.
5) Service is 'SMTP'.
6) Under the section labeled 'Change Source to:', select the Alias Interface you wish to translate the traffic to (such as the .7 IP for our example)
7) No changes are needed under the 'Change Destination to:' section.
8) Save and toggle the rule on.
V7:
1) Go to Network Security>>NAT>>DNAT/SNAT
2) Select New NAT rule and add a rule name
3) For the 'Traffic Source' pick the definition for your internal mail server.
4) For the 'Traffic Destination', select 'Any'.
5) Service is 'SMTP'.
6) Select NAT mode: SNAT(Source)
7) For the 'Source' select the Alias Interface for the public MX IP address
8) Save and toggle the rule on.
For outbound scanning or transparent proxy enabled:
1) Go to Network Security>>NAT>>DNAT/SNAT
2) Select New NAT rule and add a rule name
3) For the 'Traffic Source' pick the definition for your public interface External(Address)
4) For the 'Traffic Destination', select 'Any'.
5) Service is 'SMTP'.
6) Select NAT mode: SNAT(Source)
7) For the 'Source' select the Alias Interface for the public MX IP address
8) Save and toggle the rule on.
Now with this rule, outgoing SMTP traffic from your internal mail server will have it's source changed so that it appears to come from the aliased IP address instead of the main external IP, thus making a match to the address in the MX record. You may repeat this for multiple mail servers using SNAT to multiple aliases as needed.
Another solution that may be used is to simply edit the MX record of the affected domains to point to the main ip of the Firewall which removes the need to do SNAT altogether. In environments that must maintain separate MX addresses for dif
This thread was automatically locked due to age.
