Exchange, DNS and AT&T Blacklist
Hi,
I just started with a new company and they have been having an issue for quite some time. Although Friday was my first day, I recognized that they were using an internal 128.x.x.x ip scheme throughout the company. They recently installed a sonicwall
firewall appliance and prior to that they had a "firewall" BUT from what I hear it was never defined, so it acted pretty much like a gateway allowing traffic in and out freely. Since the implementation of the SonicWall device, they have not been able
to send mail to any AT&T and its subsidiaries due to being blacklisted. Another thing I looked at was in their DNS...they have no MX record. So, 3 things I found in a hour that might have everything to do with it, or maybe nothing at all, but
I would like another opinion from a peer out there who might recognize something here.
I want to add an MX record to their DNS, BUT I don't want to foul anything up on my second day there. I also want to propose changing the IP scheme within the organization to a 10.x.x.x scheme....but again, I want to make sure of what I propose is
factual. Any ideas?
June 18th, 2011 10:04am
I apologize, they are using Exchange as well.
Nancy DeCrescenzo
Free Windows Admin Tool Kit Click here and download it now
June 18th, 2011 11:28am
On Sat, 18 Jun 2011 13:59:30 +0000, ndecrescenzo wrote:
>
>
>Hi,
>
>I just started with a new company and they have been having an issue for quite some time. Although Friday was my first day, I recognized that they were using an internal 128.x.x.x ip scheme throughout the company. They recently installed a sonicwall firewall
appliance and prior to that they had a "firewall" BUT from what I hear it was never defined, so it acted pretty much like a gateway allowing traffic in and out freely. Since the implementation of the SonicWall device, they have not been able to send mail to
any AT&T and its subsidiaries due to being blacklisted. Another thing I looked at was in their DNS...they have no MX record. So, 3 things I found in a hour that might have everything to do with it, or maybe nothing at all, but I would like another opinion
from a peer out there who might recognize something here.
>
>I want to add an MX record to their DNS, BUT I don't want to foul anything up on my second day there. I also want to propose changing the IP scheme within the organization to a 10.x.x.x scheme....but again, I want to make sure of what I propose is factual.
Any ideas?
Well, not getting any e-mail is probably because your firewall is
correctly routing the IP packets to the REAL 128.x.x.x network.
Provided you never want to access anything on that network you can
assign a static route on the firewall to your internal router. Just be
sure you don't advertise that route on the Internet!!!
As long as you're using the 128.x.x.x range behind a NAT device and
you don't allow any direct access to the Internet you should be okay
(as long as you never want to access anything on the real 128.x.x.x
network). It's not right, but it's okay in the short term. Changing to
a non-routed IP network is the right thing to do, but it's not always
as easy as it sounds. Neither is putting everything behind a firewall
and not allowing direct access to the Internet. It's a choice you have
to make. :-)
If the domain's "A" record resolves to the IP address of your public
IP address on the firewall (and that's one that you have authoritity
over), and you map inbound connection on port 25 to the INTERNAL
128.x.x.x IP address of your Exchange server) then adding a "MX"
record that uses the domain's "A" record will be just fine.
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
June 18th, 2011 1:41pm
Hi Rich,
Thank you for replying. I explained to them the same thing you stated above (as far as the 128.x.x.x going outside the router and hitting the real network), so I will propose an IP change solution, which might fix a few more hiccups in the environment.
I will have to see exactly what the DNS is holding and where its pointing when I get there Monday morning, and will have to check the inbound connection. The last Exchange I administered was 5.5, that was back in 2001....its not like riding a bike!
I will have to take a crash course again on it....but I at least know where to look up some answers, and of course come to this board for some real life situations and answers :) Thanks again!Nancy DeCrescenzo
Free Windows Admin Tool Kit Click here and download it now
June 18th, 2011 2:56pm
On Sat, 18 Jun 2011 18:52:14 +0000, ndecrescenzo wrote:
>Thank you for replying. I explained to them the same thing you stated above (as far as the 128.x.x.x going outside the router and hitting the real network), so I will propose an IP change solution, which might fix a few more hiccups in the environment.
I will have to see exactly what the DNS is holding and where its pointing when I get there Monday morning, and will have to check the inbound connection. The last Exchange I administered was 5.5, that was back in 2001....its not like riding a bike! I will
have to take a crash course again on it....but I at least know where to look up some answers, and of course come to this board for some real life situations and answers :) Thanks again!
Exchange may have changed, but IP routing and DNS haven't (well, with
the exception of IPv6 and a few new DNS reource record types). Good
luck with the IP network swap. Expect wails of anguish. :-)
---
Rich Matheisen
MCSE+I, Exchange MVP
--- Rich Matheisen MCSE+I, Exchange MVP
June 18th, 2011 4:55pm
Hi ndecrescenzo,
Any update for your issue?
Regards!
Gavin
TechNet Subscriber Support
in forum
If you have any feedback on our support, please contact
tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
June 20th, 2011 6:12am