What I’m looking for here is anyone who knows a bit about modifying DNS in a windows 2000 environment, especially about aliasing a real external domain name to a bogus internal one. I’m fairly confident to modify DNS in a UNIX environment (I’m not expert though), even though I am more an infrastructure engineer. However, I’m lost trying to get this damn windows 2000 server to do what I need it to do. Here is the situation.
Its a new mail server install. The customer has a real authorized external domain name on the web (currently being used by their external website), but for gods know what reason their internal DNS is configured with a bogus domain name…call it customer.com. What I want to do is to basically associate the real external domain name (lets call it customer.org) with an internal host so that mail coming in gets to the mail host properly. The internal host is coming up as something like host.customer.com with an internal IP address. What I want to be able to do is associate the IP address for this host.customer.com so that it resolves host.customer.org and customer.org to the internal host (internally of course…its not going to resolve externally because the customer is using RFC 1918 addressing)…so that mail addressed as username@customer.org will be forwarded directly to the exchange server.
Externally I’ve had the ISP create an MX record for customer.org pointed at the customers firewall, as well as a PTR record for reverse name lookup…an ‘A’ record already exists for their web site. That all seems to be fine. But how do I associate this external mail record with an internal host with its bogus domain?
I’ve tried to insert an alias (cname record I assume) in the existing domain area, tried to create a new domain but it just doesn’t seem to want to let me associate the internal host with the external domain properly…I either get errors or it simply doesn’t work when I try and resolve the address internally. I’m pretty sure its a syntax issue, but frankly the way Windows is doing DNS (especially what they name things…why can’t they call things by standard names like ‘A’ records, ‘MX’ records, etc?) is confusing the hell out of me. I’m not a big Windows guy obviously.
Anyway, if someone can give me the syntax or a brief walk through of what I need to do to set this up I’d really appreciate it.
I’m a bit confused about exactly why you need to do this. I suppose it also depends on the mail server software.
Many of my smaller clients use Exchange 2K/2K3, and you can safely leave the internal DNS alone. Thus, the external MX record of mail.client.com points to the IP address of a machine with a FQDN of exchange.client.msft. This works without fail.
If you insist that the DNS server respond with its true external FQDN, it will depend on the SMTP software. In Exchange 2K3 (that’s what I’m looking at now), you can go to the properties of the SMTP virtual server, go to the delivery tab and click on advanced. There you can change the FQDN to anything you wish, as long as it properly resolves.
First off, many servers do not like sending mail to MX records that are just IP addresses and cannot be reserve looked up. (From experience. AOL is big on this.) So, I’d have the ISP create an A record mail.customer.org, and have the MX record point to the A record instead of an IP.
Assuming this is a domain (and since you said Exchange, that’s a good assumption), please don’t mess with the Windows DNS. Active Directory uses DNS resource records for tons of things, and moving a server from one domain to another improperly can screw things up for you. In fact, if it’s a domain controller, you probably can’t change the domain.
So now we’ve got the MX record pointing to an A record, which resolves to the client’s firewall. On said firewall, forward ports 25 (at the very least) to the internal address of the mail server. (25 = SMTP to receive external mail; 110 = POP3 to download mail externally; 143 = IMAP4, also to download mail externally; 80 = HTTP to allow Outlook Web Access; there are also secure ports for each of these if you need).
At this point everything should work. From outside the client’s network, you should be able to telnet to mail.customer.org, port 25 and receive:
220 Internal_Name.Internal_Domain.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.0 ready at Wed, 2 Mar 2005 15:07:22 -0500
(the versions may be different depending on your version of Exchange)
If you want the server to respond using the external FQDN of mail.customer.org, then you can follow the directions in my above post to change the SMTP server’s FQDN.
This would only work if the email server had a public address. It doesn’t, nor does it reside in a DMZ…its got a (non-routable, private) RFC 1918 address. The external MX record points to the customers external firewall…which isn’t capable, unfortunately, of redirecting the request directly to the exchange server. I’ve done similar things to this in the UNIX world using real DNS and a real SMTP server, so it SHOULD work with Windows too. I just don’t know how to make Windows do what I want it to. Perhaps there is even a better way to do this than how I’m attempting to do it…if so I have no problem trying whatever works best.
What I want is for the packet to get routed from the external FQDN (with IP associated to the external gateway) to the internal machine serving up mail. This should be no problem as the IP address will be stripped off when the packet hits the internal gateway and it will be re-resolved using the internal DNS…and routed to the appropriate server. The only way I know how to do this is to have the internal DNS respond to the FQDN with the RFC1918 address of the internal exchange host. If there is another way to do it (without restructuring the internal deployment of the system) I’m all ears. All I want is for it to work so I can get out of here…this is a pro bono installation for one of the schools we support, and its taking up WAY too much of my time and effort to get this working. I’m open to any suggestions that will get this system up and running in the least possible amount of time.
I know about the change you mentioned in the SMTP virtual server in exchange 2003…I’ve used it before to alias addresses. The problem is this is (afaik) a routing issue at this point, with the translation from the external FQDN address not being translated to the internal IP address.
BTW, thanks for the help here dasgupta…appreciated.
Yes, thats why I had the ISP insert a PTR record for reverse name lookup. Without that many private email services won’t send mail as they use reverse name lookup as kind of a security check.
Unfortunately I can’t modify the mail record to be mail.customer.org, though I’d like to and initially suggested it to the customer. The problem is that the customer is already getting their mail to an external webmail server as username@customer.org, and are unwilling to change their addressing (for obvious reasons). In addition, the ISP seems unwilling to work with me on aliasing the addressing so that username@customer.org => username@mail.customer.org, with an MX, A and PTR record for the new mail host. I’m unsure WHY they won’t work with me on this, but they won’t.
Yes, its an internal domain (windows domain I assume you mean). I’m not attempting to change its windows domain…which is part of the problem. Afaik its not a domain controller, but again I’m not trying to change the internal windows domain in any way…though it would make my life easier. What I want to do is to redirect the external fully qualified domain name packets associated with the external MX record to an internal, privately addressed machine. The ONLY way I know how to do that is to have the internal DNS be able to resolve that external FQDN to an internal address. If there is another way as I said before I’m all ears.
This firewall has no port forwarding capability…I had already thought of this and it would be a quick fix no doubt.
Well, I appreciate your help on this. Sounds like from what you are saying that there isn’t a way to do what I had hoped to do.
I’m afraid you’ve lost me here. I’ve no problem with the private (RFC1918) address, we use them here. But if the firewall won’t redirect to a host based on port number? Odd.
So is the firewall resolving hosts using the internal or an external DNS server? If it’s the internal, you should be able to add a new domain to a Win2K/3 DNS server easily and add whatever A/MX records you want. Right-click Forward Lookup Zones and select New Zone… I don’t see any reason why it would matter if it’s Primary or ADI. You would need to mirror all of the records manually, however. The mail server would get your internal address, but the web server and any others you’d need to put in manually with their external address. Additionally, if you prefer you can alway install Bind on the Win server, since you said you’re more UNIX oriented.
Does this server (or another on the network) have DNS isntalled? Do you get an error trying to add an additional domain?
The ‘firewall’ the customer currently has is a POS…it basically does NAT and a proxy authentication and thats essentially it. No port redirection at all. One of my recommendations was to junk it and get a REAL firewall…but so far the customer is resisting (if it ain’t broke don’t fix it kind of thing). And without a port redirect there is no way for the address to resolve correctly to the internal addressing.
My guess is that it resolves internal (it uses a basic default routing gateway of last resort for external…passing the packet on to the ISPs gateway).
I tried to do what you described and if you say this should work I must have done something wrong. I’ll give it a shot again. In my mind it SHOULD work fairly easy I’d think, but doesn’t seem to be. I didn’t know I could install Bind on a win2k server…THATS something I’m going to do for sure. Thanks for the help btw…I really appreciate it.
The ultimate goal here is to be able to send and receive SMTP to/from Internet hosts via a server with an RFC1918 IP address sitting behind an Internet-attached firewall, correct?
Let me see if I have this right.
The MX record for customer.org points to the IP address of the firewall rather than a FQDN? So it’s:
and not
I don’t think this will work. It’s definitely not kosher. See section 3.3.9 of RFC 1035. A mail server doing an MX lookup expects to get a host in reply. It plans on doing an A record lookup with the Exchange. An A record lookup on 123.123.123.123 isn’t going to work.
Whoops. Answered my own question. I didn’t catch that you had set up a PTR record. A lookup of the IP address may well work then.
The question then becomes less of a DNS question and more of a firewall question, no? We just want the firewall to route the incoming SMTP traffic correctly. Would you be willing to tell us what kind of firewall it is?
Its an old TeamInternet Firewall…v1.0 I think. The thing is ancient…and massive. It has no capabilities to do port redirects and can only do NAT and proxy authentication for internet access (it was designed for use by schools I think…cheap and with limited functionality).
You are right, it IS a firewall issue. My problem would be getting them to buy something a bit more modern…or buy anything at all.
Thanks for the help on this Severian and dasgupta. Let me know if you have any additional thoughts…I’d appreciate it.
Sounds like a pain. Can it even handle more than one NAT rule? Could you get a second IP address for the external firewall interface from the ISP, then NAT such that traffic to that address is always translated to the internal SMTP server?
