Skip to main content
slarabee
slarabee
New Member
November 24, 2016
Question

Fortigate 100A - Mail Server IP Issues

  • November 24, 2016
  • 1 reply
  • 2538 views

Hello all,

Hopefully someone will have some insights on this issue.

As many of you may know, many mail servers for large organizations check dns / reverse dns match to the IP address of your email server. The problem I am having is that the Fortigate 100A is causing my email server's outgoing connections to other servers to misreport the IP address.

 

So my email server is (for example) mail.example.com = 23.25.65.235 and reverse DNS is set 23.25.65.235 = mail.example.com

 

All the DNS is correctly set and there are no issues there, I know this because up until last week I was running all mail through a Cisco PIX 515 without error.

 

On the Fortigate if I telnet to another email server for a test, when I hit HELO the server will respond saying HELO 23.25.65.234 somedns.cox-cable.com... Which is the outside WAN interface address of the Fortigate.

 

In other words the fortigate is blocking the receiving email server from seeing through to the email server's IP.

 

I can telnet to my email server and my policies are really simple. Not sure why this is happening, I suspect it is by design, but I need to fix it so my users can send mail to those domains that perform the check.

 

TIA,

Sean

    1 reply

    slarabee
    slarabeeAuthor
    New Member
    November 24, 2016

    Update:

    An engineer on spiceworks helped me find the solution.

     

    In order for the Fortigate to use pass along the outside IP of the internal resource rather than the outside interface of the FW, you have to go into Virtual IP and create an IP Address pool to match the outside IP of the internal server. In my case the outside IP of my email server.

     

    Then you need to create an Internal -> Wan Firewall policy specifying the Internal Ip of the server, the WAN interface, check NAT and choose the Dynamic IP Pool Address you created.

     

            set srcintf "internal"         set dstintf "wan1"         set srcaddr "Inside Server IP"         set dstaddr "all"         set action accept         set schedule "always"         set service "SMTP (or whatever service you are trying to config)"         set nat enable         set ippool enable         set poolname "Outside Server IP"

     

    I hope this helps anyone else facing a similar issue.

     

    Sean

    Terms & ConditionsAccessibility statement