Mailing List Message #103712
From: James Roman <>
Subject: Re: Re: RDNS (Reverse lookup) failure
Date: Mon, 19 Nov 2012 06:46:35 -0800
To: <CGatePro>
This is a mis-configuration of either your CGP server or your firewall NAT configuration. Either you are not sending mail from the IP address (NAT or your firewall is only configured to perform the static NAT on your outside interface, but not on your internal interface.

Your firewall is probably configured to provide default NAT with the IP address of your firewall (Gateway IP). You probably have a static NAT entry for your mail server that translates traffic to and from your Mail server to the address If your mail server is in your DMZ, then you would probably want a set-up like this I am speculating that your inside network uses 10.1.x.x)

Source ( <= Outside Interface  <= Firewall <= Source (Default PAT <= Inside Interface <= Source (10.1.x.x ) Inside host
Source ( <= Outside Interface  <= Firewall <= Source (Static NAT <= DMZ Interface <= Source ( ) Mail Server

If the mail server sends mail out with an address that is not, you will get the default PAT address instead of the Static NAT address.
  1. In CommuniGate, under Setting -> Network -> LanIP, make sure your Server LAN IP Address is set to Make sure your WAN IPv4 Address: is set to
  2. In Settings -> Mail -> SMTP, make sure your Source IP Address is set to
  3. If you change any of these IP addresses on the underlying server, you may need to restart CommuniGate or reboot the server to see the new addresses in CGP.
  4. Use a traffic sniffer on your firewall to verify that when you send a message using the CGP web interface, that it is sent using the address. Make sure that the source and destination interfaces match what is expected.

If your mail server routes out the Inside interface, you will get the default PAT address. If your firewall improperly routes DMZ traffic Inside first, back through your Inside interface to the Outside you will get the default PAT address instead.

  1. Use traceroute to a known external mail server. Your route should return your DMZ gateway IP address, followed by your upstream Internet provider's router. If it returns your Inside network gateway interface, then you have a routing problem. The default route configured in your firewall should be your new ISP's default gateway, not an internal router.
  2. Review the route configuration on your firewall.
  3. Make sure that your DMZ interface is performing NAT translation.
  4. Make sure your static NAT entry is configured properly. 
    1. On a Cisco ASA your NAT entry should look like:
      • object network
      • object network
         nat (DMZInterface,outside) static dns

These are for a basic set-up. If you changed routers when you migrated ISPs then there is room for all kinds of unexpected behavior. Make sure that routing is working right otherwise all kinds things can go wrong.

On 11/05/2012 01:05 PM, Urs Grützner wrote:
Thanks for your help

In fact is inbound and outbound as well. 

Of course, as is the Gateway of our LAN, every mail passes this IP as well. But its origin should be

I do not understand the mechanism, when and how this Gateway IP  is attributed and sent with mail. And why not the mail servers IP???

The weird thing is: before we switched to our new provider this did not happen. Except that Router, IPs and DNS have changed, everything should work analogously.

At the moment I have a workaround, that I can send my SMTP in relay with the SMTP of our Provider Swisscom. This "whiteswashes" the fact, that our reverse is not correct.

But thats not a solution. I want that the is sent with the mail. (The reverse lookup to might help as well but I am not happy with that trick as soon as I did not understand the mechanism) ;-)



From: Lyle Giese <>
Subject: Re: RDNS (Reverse lookup) failure
Date: Mon, 05 Nov 2012 11:06:39 -0600
To: CommuniGate Pro Discussions <>
It looks to me like is for inbound email, while outbound email is forwarded via does not have a reverse lookup.  This ip address does not appear to be accepting inbound email so I can not verify the HELO/EHLO greeting it may be providing.  

I think you need to get a reverse installed for with the greeting used by that machine.

Lyle Giese
LCR Computer Services, Inc.

On 11/5/2012 10:07 AM, Urs Grützner wrote:
We have changed our Internet provider, needed to change also the DNS authority and the IP's.

The new zone file on the Master DNS is ok, according to the rules.  

The name Server IPS on the Server are changed to the new provider.

Our server is behind a Firewall, with local IPs,,

The forward and reverse lookup for and the public IP are OK (see lookups below)

Now we have the following problem:

When sending mails its not the IP of our server which is transmitted, but the IP of our Gateway. Of course the RDNS lookup will fail for servers, which perform this check. 

I do not know how this IP is forwarded with mail. How does the mail server get his own public IP? By checking the DNS?  I don't understand how the gateway IP is coming into the header

Any help is appreciated



PS: Here is a mail I have sent from the concerned server One can see the gateway number as the origin, instead of the mail servers IP number

Von:  Urs Grützner <>

Betreff:  test WAN IP

Datum:  5. November 2012 12:47:33 MEZ

An:  Gruetzner Urs <>

Return-Path:  <>

Received:  from ([]) by (Oracle Communications Messaging Server 7u4-26.01 ( 64bit (built Jul 13 2012)) with ESMTP id <> for; Mon, 05 Nov 2012 11:47:36 +0000 (GMT)

Received:  from ([]) by (Oracle Communications Messaging Server 7u4-23.01( 64bit (built Aug 10 2011)) with ESMTP id <> for (ORCPT; Mon, 05 Nov 2012 11:47:36 +0000 (GMT)

Received:  from [] (account ugruetzner [] verified) by (CommuniGate Pro SMTP 5.1.16) with ESMTPSA id 4681822 for; Mon, 05 Nov 2012 12:47:33 +0100

„Lookup“ wurde gestartet …

; <<>> DiG 9.6-ESV-R4-P3 <<>> any +multiline +nocomments +nocmd +noquestion +nostats +search
;; global options: +cmd 3600 IN MX 10 3600 IN A
2012103001 ; serial
10800      ; refresh (3 hours)
3600       ; retry (1 hour)
604800     ; expire (1 week)
21600      ; minimum (6 hours)
) 687 IN NS 687 IN NS 687 IN NS 687 IN NS 687 IN A 19862 IN A 1833 IN A

„Lookup“ wurde gestartet …

; <<>> DiG 9.6-ESV-R4-P3 <<>> any +multiline +nocomments +nocmd +noquestion +nostats +search
;; global options: +cmd 657 IN A 657 IN NS 657 IN NS 19832 IN A 1803 IN A

„Lookup“ wurde gestartet …

; <<>> DiG 9.6-ESV-R4-P3 <<>> -x any +multiline +nocomments +nocmd +noquestion +nostats +search
;; global options: +cmd 86400 IN PTR


James Roman | Network Manager

Terranet Inc., on contract to:
SSAI | 10210 Greenbelt Rd., Suite 600 | Lanham MD 20706

IT Helpdesk: 301-867-2100
IT Support Website

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster