Archived from groups: comp.security.firewalls (More info?)
We recently ran across a situation where a web hosting company (SPC
Hosting) is requiring a R-DNS record registered with our ISP in order
to successfully email a domain that uses SPC (the premise is that it
curbs UCE). After confirming that our ISP had entered the pointer
record we were still getting mail kicked by SPC. As it turns out, our
Netscreen logs show the source address in the header as being the
untrusted interface of the ns50 and not the ip of our MX record. Since
the pointer record is configured for our MX record having the source
address appear as a different ip is giving me an ulcer.
The untrusted interface has a VIP mapped to our MX record and a policy
that maps that to the inside interface of the internal SMTP gateway
(ISA Server) so the inbound mail finds the exchange server no problem
but on the way out the address appears to come from something other
than the MX address (which is what SPC is looking for).
How can I configure the Netscreen so that outbound mail is tagged with
the MX address and not the untrust interface address? I can see more
ISPs requiring a pointer record in order to sent through them which
would give my CIO cause to have a full litter of kittens b/c the
outbound will be refused.
If anyone has ran across this or knows a config that will provide the
fix, I'd like to hear about it.
TIA,
Reg
We recently ran across a situation where a web hosting company (SPC
Hosting) is requiring a R-DNS record registered with our ISP in order
to successfully email a domain that uses SPC (the premise is that it
curbs UCE). After confirming that our ISP had entered the pointer
record we were still getting mail kicked by SPC. As it turns out, our
Netscreen logs show the source address in the header as being the
untrusted interface of the ns50 and not the ip of our MX record. Since
the pointer record is configured for our MX record having the source
address appear as a different ip is giving me an ulcer.
The untrusted interface has a VIP mapped to our MX record and a policy
that maps that to the inside interface of the internal SMTP gateway
(ISA Server) so the inbound mail finds the exchange server no problem
but on the way out the address appears to come from something other
than the MX address (which is what SPC is looking for).
How can I configure the Netscreen so that outbound mail is tagged with
the MX address and not the untrust interface address? I can see more
ISPs requiring a pointer record in order to sent through them which
would give my CIO cause to have a full litter of kittens b/c the
outbound will be refused.
If anyone has ran across this or knows a config that will provide the
fix, I'd like to hear about it.
TIA,
Reg