cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
tdssupport
New Contributor II

ACL using hostname not working for SMTP 25 allows

Jump to solution

I have changed mail filtering services to a new provider which instead of having a small subset of subnets they may send us Port 25 connections on they have some 80 IP's. They suggest using a hostname, delivery.antispamcloud.com, instead of the IP's however that failed. They have a KB where this happens with Sonicwall's and they state it is because the firewall is only using UDP for DNS Port 53 nslookup and thus trunicates the results.

https://support.solarwindsmsp.com/kb/mail_assure/SonicWall-firewall-not-resolving-all-IP-s-for-deliv...

Description

  • Using SonicWall and when using FQDN the firewall is unable to resolve all of the IPs
  • Is there another way to accept only emails from SolarWinds Mail Assure without putting in 84 IP addresses?

Environment

  • SolarWinds Mail Assure

Solution

  • Issue is likely because firewall nslookup is not using TCP
  • If it can only accept port 53 responses on UDP, it will truncate the nslookup reply
  • Check to ensure that nothing is blocking TCP responses to DNS queries to the firewall
  • If blocking TCP responses on purpose for security reasons then you would need to enter each of the IP's into the firewall

I'm wondering if the same is true with the Netvanta products and that is why I am unable to get inbound SMTP to pass correctly using delivery.antispamcloud.com in the hostname.

Help...

Labels (1)
0 Kudos
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor

Re: ACL using hostname not working for SMTP 25 allows

Jump to solution

You're probably better off finding a mail filtering service that has actual networking clue rather than jumping through these hoops. In addition to having over 80 IPs to which that hostname resolves, they have their TTL set to only 300 seconds. This isn't going to work out well for them. They're going to DDoS themselves with that kind of nonsense, it doesn't scale.

Using DNS to populate an 80-plus entry ACL in a firewall only to throw it away every five minutes simply isn't good practice. Populating firewall ACLs with a phonebook-sized list of A records is not what DNS is for. They are doing something fundamentally broken and telling the rest of the world how to implement workarounds for it.

And, at least for the TA900 series, Adtran doesn't like this at all.

lab-adtran#ping delivery.antispamcloud.com

                                                      

Error(RCODE - name error): Exhausted all available options to resolve host.

lab-adtran#

Cisco won't be happy either. It will populate the ACL with the first match and cache it until the next reboot.

View solution in original post

2 Replies
jayh
Honored Contributor
Honored Contributor

Re: ACL using hostname not working for SMTP 25 allows

Jump to solution

You're probably better off finding a mail filtering service that has actual networking clue rather than jumping through these hoops. In addition to having over 80 IPs to which that hostname resolves, they have their TTL set to only 300 seconds. This isn't going to work out well for them. They're going to DDoS themselves with that kind of nonsense, it doesn't scale.

Using DNS to populate an 80-plus entry ACL in a firewall only to throw it away every five minutes simply isn't good practice. Populating firewall ACLs with a phonebook-sized list of A records is not what DNS is for. They are doing something fundamentally broken and telling the rest of the world how to implement workarounds for it.

And, at least for the TA900 series, Adtran doesn't like this at all.

lab-adtran#ping delivery.antispamcloud.com

                                                      

Error(RCODE - name error): Exhausted all available options to resolve host.

lab-adtran#

Cisco won't be happy either. It will populate the ACL with the first match and cache it until the next reboot.

tdssupport
New Contributor II

Re: ACL using hostname not working for SMTP 25 allows

Jump to solution

Totally agree with your assessment of the networking problems they have setup.  Had not checked that TTL, wow.

So I was able to get them to force our email through a smaller subset of subnets, kind of. Instead of that huge list they provided 4 subnets /24 of possible sending IP's so I only had to enter those subnets although that still means they are saying they might send email through as many as 1000 IP's.