0

Have a few servers setup behind an ASA 5505, all is well, except for the fact that the ASA only sends the correct smtp outbound IP for the mail server domain itself.

Any other domain that sends outbound email shows the ASA external IP as the from address, which raises red flags with recipient mail servers as we have no reverse DNS setup on this IP.

What we would like to have happen is either:

1) Have outbound smtp ip be the same as inbound ip (preferred)
-or
2) Have our mail server ip show as the from address for ALL outbound smtp traffic, and then setup SPF DNS records for our domains that list the mail server domain as an authorized sender.

Applicable config lines:

object-group network web-services
network-object host xx.xxx.xx.101
network-object host xx.xxx.xx.102
...
object-group service open-tcp tcp
port-object eq smtp
...

access-list out_in extended permit tcp any object-group web-services object-group open-tcp
...
global (outside) 1 interface
global (dmz) 1 interface
nat (dmz) 0 access-list nonat
nat (dmz) 1 0.0.0.0 0.0.0.0 # perhaps here some magic can be worked

Is there a way to get only outbound smtp traffic bound to the mail server IP? I'd prefer that over globbing everything outbound onto mail server IP, which is what the solution in this thread appears to do.

Ideas appreciated, thanks

virtualeyes
  • 675
  • 3
  • 12
  • 28

2 Answers2

0

something like static (inside,outside) tcp mail.server.ip.here smtp your.internal.subnet.here smtp netmask net.mask.for.the.internal.subnet.here should do the trick.

Geraint Jones
  • 2,503
  • 16
  • 19
  • Thanks but check out the object-group, it already does that implicitly for services listed (smtp, www, https, etc.). The problem I think is that the ASA takes inbound smtp on port 25, but sends outbound on a huge port range (i.e. not necessarily 25). See article I linked to – virtualeyes Aug 16 '13 at 22:58
  • Sometimes it pays to be explicit with Cisco tin :) – Geraint Jones Aug 16 '13 at 23:01
  • it's all or nothing with object-groups, you can't specify a single static route as you are suggesting. I would have to specify smtp, http, ftp, etc. separately and it will do nothing to solve the problem, have already tried the explicit track. The problem, as stated in the linked thread, is that outbound smtp port is not at all guaranteed to be port 25; and when it's not 25 (like always), the implicit static route for smtp protocol is ignored, and the default is used instead, which just so happens to be the external ASA IP -- totally f-ing useless as far as serving legit mail is concerned ;-( – virtualeyes Aug 17 '13 at 01:06
0

Got help on Cisco forums, here's the solution that works for my setup:

global (outside) 25 xx.xxx.xx.101
access-list Dmz-Smtp-PolicyPAT
access-list Dmz-Smtp-PolicyPAT extended permit tcp 172.16.0.0 255.255.0.0 any eq smtp
nat (dmz) 25 access-list Dmz-Smtp-PolicyPAT

This routes all outbound smtp traffic via external xx.xxx.xx.101 IP, the public facing IP address of my mail server.

Would have preferred inbound smtp to go out on same public IP smtp came in on, but Qmail, my mail server, does not support multiple outgoing ip address in the version I have installed (v1.03).

Anyway this works, all outbound traffic appears to the outside world to be coming from my mail server and not the external IP of ASA itself. Now just need to setup SPF records for client domains and authorize mycompany.com as the authorized mail sender.

virtualeyes
  • 675
  • 3
  • 12
  • 28