Spam Filter ISP Support Forum

  New Posts New Posts RSS Feed - Sitting behind router and can't do reverse DNS checking
  FAQ FAQ  Forum Search   Register Register  Login Login

Sitting behind router and can't do reverse DNS checking

 Post Reply Post Reply
Author
Frank Bravo View Drop Down
Guest Group
Guest Group
Post Options Post Options   Thanks (0) Thanks(0)   Quote Frank Bravo Quote  Post ReplyReply Direct Link To This Post Topic: Sitting behind router and can't do reverse DNS checking
    Posted: 27 March 2003 at 12:00am

I am just installing now, so I thought it would be a good time to ask this question. Our mail server sits behind a router. Our outside IP address and the IP address of the router are different (outside v. inside). Outside, our domain SMTP connections gets routed to an inside machine. Inside the address of the router is 192.168.1.1. When I turn on 'reject if no reverse DNS', I get a bunch of false positives (for kill) with the following error: server error - Your IP 192.168.1.1 does not have a reverse DNS entry. Disconnecting... Any suggestions on how to get around that? Thanks! \frank

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 27 March 2003 at 12:00am

Frank,

Without knowing more details on your physical setup we can't be very specific in our answer. Ideally SpamFilter should be located in a DMZ with a firewall separating it from the internet and another firewall separating it from your internal LAN. In this case, if configured correctly, the firewall would allow incoming traffic on port 25, and even if SpamFilter was on a server with a NAT'd IP of 192.168.1.nnn, it would still see the original IP address of the sender rather than the firewall's.

I'm not sure if you will be able to configure your router/firewall so that connections reaching the server with SpamFilter will arrive with their original IP, and won't show your router's IP.

If not, then you will not be able to use the "Mandatory Reverse DNS" rule.

If, for some reasons, some IPs are coming in with the correct sender's address, and others are going thru the router and showing up as 192.168.1.1, you should be able to add a reverse PTR record to your internal DNS servers so that they are able to resolve 192.168.1.1 to a valid entry, and your DNS errors will stop.

Hope this helps,

Roberto Franceschetti LogSat Software

Back to Top
LogSat View Drop Down
Admin Group
Admin Group
Avatar

Joined: 25 January 2005
Location: United States
Status: Offline
Points: 4104
Post Options Post Options   Thanks (0) Thanks(0)   Quote LogSat Quote  Post ReplyReply Direct Link To This Post Posted: 27 March 2003 at 12:00am

We had a similar problem setting the filter up. We have a sonicwall firewall, that uses one-to-one NAT (mapping a public ip address to a internal address (192.168.001.xxx). Makes for nice easy setup, and nice for security to.

You are right, if you don't have an internal dns server setup, then your out of luck. I even tried putting the ip of the filter machine (192.168.001.061 in our case), in the hosts file of the computer, with a bogus name, but spamfilter ONLY checks the supplied DNS server, and not the hosts file.

Best you can do is either not use reverse dns lookups (which in some cases is not bad, because you would not believe the amount of legitimate servers that aren't setup right), or add your internal machines ip address to the exclude list.

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.117 seconds.