Have to ask the guru Bob here.
My understanding is you can get the SMTP to leave via different IP via multipath rules but you can only receive on 1 IP ie the SMTP Proxy. Now that might create an issue with RDNS lookups by anti-spam servers etc
I'll check tomorrow. We have a load balanced UTM cluster 2x SG330 at one location and another 2x SG330 cluster. Each 50 miles away connected via a 1gb PtP.
Having said that, we are utilizing SMTP proxy at both sites which then relay to exchange load balancers so there are 2x smtp proxy in play here which might explain why RDNS lookups work etc.
So as below:
OUTGOING: Exchange Transport Servers (NLB) > SITE A UTM SMTP Proxy > Multipath > 50% to internet & 50% to SITE B UTM SMTP Proxy > Internet
INCOMING: Primary MX > SITE A UTM Proxy > (NLB) Exchange Transport servers
Backup MX > SITE B UTM Proxy > (NLB) Exchange Transport servers
As Louis-M mentioned, it may compromise RDNS
I use SMTP only for one exchange server, and it is in trasnparent mode (lets say im more secure this way)
I can receive emails from the second WAN (with MX record setup in DNS zone)
I am afraid to let emails going from wan2 because has different RDNS
If there isn't an RDNS entry for an IP address, your mail will most likely be bounced. We actually had this with the setup I've just mentioned above as the A & PTR record hadn't been set up. Just enabling the 2 uplink interfaces pushed 50% of the mail out through the 2nd interface and it bounced.
Fortunately, we were watching for it and expecting it also. The solution was to create the multipath rule and chuck 100% smtp via the 1st interface until we got the A, PTR & MX records in place.
As far as I'm aware, most anti-spam solutions will do a reverse lookup first to make sure the sending IP has a valid A & PTR record with it. The mail will get bounced right there if the receiving server can't connect or find a PTR record. They will then move on to the more exotic stuff like SPF, DKIM & DMARC to increase or decrease the score.
We're quite pleased with our setup and are still tweaking it as we're in the process of completely switching the sites ie SITE B (failover site) will become the primary site in the event of an outage at SITE A (primary site) becoming offline for a reason.
If there isn't an RDNS entry for an IP address, your mail will most likely be bounced. We actually had this with the setup I've just mentioned above as the A & PTR record hadn't been set up. Just enabling the 2 uplink interfaces pushed 50% of the mail out through the 2nd interface and it bounced.
Fortunately, we were watching for it and expecting it also. The solution was to create the multipath rule and chuck 100% smtp via the 1st interface until we got the A, PTR & MX records in place.
As far as I'm aware, most anti-spam solutions will do a reverse lookup first to make sure the sending IP has a valid A & PTR record with it. The mail will get bounced right there if the receiving server can't connect or find a PTR record. They will then move on to the more exotic stuff like SPF, DKIM & DMARC to increase or decrease the score.
We're quite pleased with our setup and are still tweaking it as we're in the process of completely switching the sites ie SITE B (failover site) will become the primary site in the event of an outage at SITE A (primary site) becoming offline for a reason.
Never had an issue. As long as there is a PTR record for the sending IP, mail will usually flow. Think of a single server sending for multiple domains.
And of course, when you start to configure SPF etc, you would have to take into account the sending mail server/domain.
But the HELO/EHLO doesn't have to match the users domain. It just have to have an IP with a PTR which matches.
here some test and strange behavior of my UTM
"WorkUTM" has 2 UPLINK
Receives emails from both, but sends only from one (defined with mulipath rule). Second WAN not published in any DNS records etc.
HOW I tested sending emails to second IP? Simple, defined the mail.hostname.com with the second ip in my "homeUTM"
But my "HomeUTM" doesnt accept emails from my "WorkUTM" with the primary WAN-IP
[79.x.x.x]: 550 Invalid RDNS entry for 80.x.x.x
Tried to define the mail.hostname.com (work) with two IP, without success
You know so much, Olsi, that I didn't think of this. Like Louis said, you only need to make sure your authoritative name server entries tell the full story:
mail1.hostname.com A 22.33.44.55 <-- EDIT 2018-02-22 Corrected mail2 to mail1
55.44.33.22.in-addr.arpa ptr mail1.hostname.com
mail2.hostname.com A 22.33.44.56
56.44.33.22.in-addr.arpa ptr mail2.hostname.com
v=spf1 ip4:22.33.44.55 ip4:22.33.44.56 -all
Cheers - Bob
There can be very many domains hosted behind a single HELO string. There must be tens of thousands behind mail-cys01nam02on0094.outbound.protection.outlook.com and the other servers for Office 365.
Cheers - Bob
I don't think that there's an RFC requirement that there be a different SMTP banner for different IPs or for different domains. I can see that a hosting provider might not be set up like outlook.com and would want to offer customized SMTP banners for its customers.
Cheers - Bob