I have changed mail filtering services to a new provider which instead of having a small subset of subnets they may send us Port 25 connections on they have some 80 IP's. They suggest using a hostname, delivery.antispamcloud.com, instead of the IP's however that failed. They have a KB where this happens with Sonicwall's and they state it is because the firewall is only using UDP for DNS Port 53 nslookup and thus trunicates the results.
I'm wondering if the same is true with the Netvanta products and that is why I am unable to get inbound SMTP to pass correctly using delivery.antispamcloud.com in the hostname.
Help...
You're probably better off finding a mail filtering service that has actual networking clue rather than jumping through these hoops. In addition to having over 80 IPs to which that hostname resolves, they have their TTL set to only 300 seconds. This isn't going to work out well for them. They're going to DDoS themselves with that kind of nonsense, it doesn't scale.
Using DNS to populate an 80-plus entry ACL in a firewall only to throw it away every five minutes simply isn't good practice. Populating firewall ACLs with a phonebook-sized list of A records is not what DNS is for. They are doing something fundamentally broken and telling the rest of the world how to implement workarounds for it.
And, at least for the TA900 series, Adtran doesn't like this at all.
lab-adtran#ping delivery.antispamcloud.com
Error(RCODE - name error): Exhausted all available options to resolve host.
lab-adtran#
Cisco won't be happy either. It will populate the ACL with the first match and cache it until the next reboot.
You're probably better off finding a mail filtering service that has actual networking clue rather than jumping through these hoops. In addition to having over 80 IPs to which that hostname resolves, they have their TTL set to only 300 seconds. This isn't going to work out well for them. They're going to DDoS themselves with that kind of nonsense, it doesn't scale.
Using DNS to populate an 80-plus entry ACL in a firewall only to throw it away every five minutes simply isn't good practice. Populating firewall ACLs with a phonebook-sized list of A records is not what DNS is for. They are doing something fundamentally broken and telling the rest of the world how to implement workarounds for it.
And, at least for the TA900 series, Adtran doesn't like this at all.
lab-adtran#ping delivery.antispamcloud.com
Error(RCODE - name error): Exhausted all available options to resolve host.
lab-adtran#
Cisco won't be happy either. It will populate the ACL with the first match and cache it until the next reboot.
Totally agree with your assessment of the networking problems they have setup. Had not checked that TTL, wow.
So I was able to get them to force our email through a smaller subset of subnets, kind of. Instead of that huge list they provided 4 subnets /24 of possible sending IP's so I only had to enter those subnets although that still means they are saying they might send email through as many as 1000 IP's.