Question : How to route mail from mail server to correct public IP address

Hello Expert:

Last night, I configured and installed a SSG-5 (Juniper) firewall and all was going great until I found out my mail was rejected by one of my customers.  Below is the rejection notice.  The problem is I am sending out mail through my 208.47.92.149 address when should be my public address of 208.47.92.145 which resloves back to my correct public dns records.  I tried several test polices  but still can't get it to go out the 208.47.92.145 IP address.   The mail is going out the 208.47.92.149 address because I have it assigned to Ethernet 0/0.  I have 208.47.92.145 setup as a Virtual IP address with the correct ports opened for services I need.  My question is how do I set up the SSG-5 Firewall to send out mail through the correct public IP address?  I hope this makes sense.  Thanks

Delivery has failed to these recipients or distribution lists:

[email protected]
An error occurred while trying to deliver this message to the recipient's e-mail address. Microsoft Exchange will not try to redeliver this message for you. Please try resending this message, or provide the following diagnostic text to your system administrator.

The following organization rejected your message: steel.aasteel.com.


--------------------------------------------------------------------------------
Sent by Microsoft Exchange Server 2007






Diagnostic information for administrators:

Generating server: commserver1.titanfabricators.com

[email protected]
steel.aasteel.com #550-Your mail server does not resolve REVERSE DNS for IP 208.47.92.149 550-or a mismatch exists with name resolving back to 208.47.92.149 550 Please report this to your IS Staff or ISP (Internet Service Provider). ##

Original message headers:

Received: from commserver1.titanfabricators.com ([192.168.0.5]) by
 commserver1.titanfabricators.com ([192.168.0.5]) with mapi; Thu, 28 Feb 2008
 17:08:21 -0600
From: Stephen Hunter
To: "[email protected]"
Date: Thu, 28 Feb 2008 17:08:20 -0600
Subject: test from me
Thread-Topic: test from me
Thread-Index: AQHIel7PGlAzK4Ilf026BiosJbYAnA==
Message-ID: 2781545BCBCC98461@commserver1.titanfabricators.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Answer : How to route mail from mail server to correct public IP address

Hello Hunter,

set interface ethernet0/0 dip 208.47.92.145 208.47.92.145
set policy from trust to untrust any any smtp nat src dip-id 1 permit

These commands on the CLI should create a source address translation policy for outgoing SMTP traffic which replaces the source address in the outgoing packets with the 208.47.92.145 address.

From the Juniper ScreenOS concepts and examples guide volume 8 pg. 91:
"The security device forwards incoming traffic destined for a VIP to the host with the
address to which the VIP points. However, when a VIP host initiates outbound
traffic, the security device only translates the original source IP address to another
address if you have previously configured NAT on the ingress interface or NAT-src in
a policy that applies to traffic originating from that host. Otherwise, the security
device does not translate the source IP address on traffic originating from a VIP
host."