Print Page | Close Window

Sitting behind router and can't do reverse DNS checking

Printed From: LogSat Software
Category: Spam Filter ISP
Forum Name: Spam Filter ISP Support
Forum Description: General support for Spam Filter ISP
URL: https://www.logsat.com/spamfilter/forums/forum_posts.asp?TID=48
Printed Date: 30 October 2024 at 10:25am


Topic: Sitting behind router and can't do reverse DNS checking
Posted By: Guests
Subject: Sitting behind router and can't do reverse DNS checking
Date Posted: 27 March 2003 at 12:00am

I am just installing now, so I thought it would be a good time to ask this question. Our mail server sits behind a router. Our outside IP address and the IP address of the router are different (outside v. inside). Outside, our domain SMTP connections gets routed to an inside machine. Inside the address of the router is 192.168.1.1. When I turn on 'reject if no reverse DNS', I get a bunch of false positives (for kill) with the following error: server error - Your IP 192.168.1.1 does not have a reverse DNS entry. Disconnecting... Any suggestions on how to get around that? Thanks! \frank




Replies:
Posted By: LogSat
Date Posted: 27 March 2003 at 12:00am

Frank,

Without knowing more details on your physical setup we can't be very specific in our answer. Ideally SpamFilter should be located in a DMZ with a firewall separating it from the internet and another firewall separating it from your internal LAN. In this case, if configured correctly, the firewall would allow incoming traffic on port 25, and even if SpamFilter was on a server with a NAT'd IP of 192.168.1.nnn, it would still see the original IP address of the sender rather than the firewall's.

I'm not sure if you will be able to configure your router/firewall so that connections reaching the server with SpamFilter will arrive with their original IP, and won't show your router's IP.

If not, then you will not be able to use the "Mandatory Reverse DNS" rule.

If, for some reasons, some IPs are coming in with the correct sender's address, and others are going thru the router and showing up as 192.168.1.1, you should be able to add a reverse PTR record to your internal DNS servers so that they are able to resolve 192.168.1.1 to a valid entry, and your DNS errors will stop.

Hope this helps,

Roberto Franceschetti LogSat Software



Posted By: LogSat
Date Posted: 27 March 2003 at 12:00am

We had a similar problem setting the filter up. We have a sonicwall firewall, that uses one-to-one NAT (mapping a public ip address to a internal address (192.168.001.xxx). Makes for nice easy setup, and nice for security to.

You are right, if you don't have an internal dns server setup, then your out of luck. I even tried putting the ip of the filter machine (192.168.001.061 in our case), in the hosts file of the computer, with a bogus name, but spamfilter ONLY checks the supplied DNS server, and not the hosts file.

Best you can do is either not use reverse dns lookups (which in some cases is not bad, because you would not believe the amount of legitimate servers that aren't setup right), or add your internal machines ip address to the exclude list.




Print Page | Close Window