are our dns settings ok or would it cause open relay issues?

O

oROEchimaru

Supreme [H]ardness
Joined
Jun 1, 2004
Messages
4,662
We have relay turned off for the server. however one machine (internal ip) hosts our database and campaign software... which sends an smtp email over to the email machine... (external ip)... where it then is delivered to the user

emails were altered for security

will other servers scan our internal address (192.168.100.248) and see it as invalid since its an internal ip? or will they grab the proper address? This is how it appears for non-internal members.. however the actual address of our external servers is 207.250.223.x ... should i change the nic ip from an internal address to the external so its 207.250.223.248 or should i do something to make it more valid with the internal or external in dns?

Received: from campagins.etradepress.com [192.168.100.248] by etp.buildingoperatingmanagement.com with SMTP;
Thu, 15 May 2008 12:48:55 -0500
From: Building Operating Management<wngoperatingmanagement.com>*removed for security*
To: olsendsmark.com
Message-Id: <20080515124goperatingmanagement.com>
Subject: Is a touchless restroom right for your organization?
Date: Thu, 15 May 2008 12:48:13 -0500
 
The message appears to have been passed from one server to another internally on the same domain correct?

If that's the case, it's ok.

Otherwise, no, that's not normal to see the private 192.168.x.x IP in the e-mail header. You should not be setting your public domain DNS records or MX records to private IPs. I doubt you have it that way though since it would not work at all.

The way I normally setup e-mail servers (for small biz networks) is to use the IP of the firewall for the MX record and then forward the traffic to the e-mail server. I generally don't like giving servers public IP addresses.

EDIT: No, that is not going to work properly as when people try to reply to the e-mail, the sending server will attempt to use the private IP and it will fail.

Reading that header is throwing me off a bit.... are the sending server and the e-mail server (receiving server) on the same internal domain?

Is your internal domain "xxxx.com"?
 
this is whats throwing me off too, thanks for your help man!

1. the internal address above 192.168.100.248 is on a seperate machine, that has campaign software. it basically takes our html and plain text, grabs our bounce, from and reply addresses... then we enter the account's id/password for smtp... this is for legitimate magazine emails (to less than 50k members, the same ones each week.. we follow federal laws etc)...

2. the machine sends the campaign over... to ETP which is our actual email server using smartermail/smartertools... this server then sends out the email via smtp.
 
I would NAT the mailserver to a public IP and block all ports except the ones needed, and have it in a physical DMZ outside of the network for that reason. That way you have it mapped to a public IP and if it becomes compromised, it won't compromise the rest of your network.
 
the mail server is on a public ip... however the machine that builds campaigns... and sends the messages via smtp over to the mail server... is somehow being in the header.. and is a part as a local ip.

i asked campaign enterprise (the software we use)... they said most servers at the present time do not check that ip... however if their is a major policy shift they could start too...
 
Oh I'm following you now.

If the campaign box is relaying through the mailserver, can you configure the server to check the header and rewrite the IP field for all relays?
 
hmm... sounds like a good idea but i'm not sure if that is possible in smartertools smartermail...

could you elaborate on that at all? sounds like a nifty idea.
 
Well, the server, if it has relay features (most do) should be able to set itself as the source IP for all email that goes through it. One would think so, anyways.

As for how to do it on that software...I have no clue.
 
well we wouldn't want it for all email since we have multiple domains... just for the campaign enterprise emails... maybe i can make an alias?
 
You must log in or register to reply here.
Back
Top