inside -> outside policy for SMTP connection

Answered Question
Jul 28th, 2008

Hi,

Using ASDM, I have created an access rule for a pix 525 that allows as follows:

Interface: inside

Direction: incoming

Source IP address: internal IP of inside server, e.g. 192.168.1.10

Destination IP address: external IP of an external mail server. I have tried several and it doesn't work for any - for instance, one example is the MX for Gmail, gmail-smtp-in.l.google.com which resolves to 66.249.91.27

Protocol: tcp

Source port: any

Destination port: smtp

This is what happens:

Before the policy is added, attempting to telnet to the mail server IP on port 25 times out, as you might expect.

When the policy is added, the outbound connection starts, because when testing from the inside server I get this:

220 **************************************

However nothing else happens, no ehlo commands can be entered or anything like that. Eventually it the external mail server just sends back a 421 SMTP timeout error.

It is not a problem with the destination server because they work from anywhere else - I have tried several 3rd party external servers as examples, such as Gmail. Connecting to the Gmail server works fine from elsewhere:

$ t 66.249.91.27 25

Trying 66.249.91.27...

Connected to 66.249.91.27.

Escape character is '^]'.

220 mx.google.com ESMTP c24si20282948ika.4

ehlo test

250-mx.google.com at your service, [217.154.131.202]

250-SIZE 28311552

250-8BITMIME

250 ENHANCEDSTATUSCODES

quit

221 2.0.0 mx.google.com closing connection c24si20282948ika.4

Connection closed by foreign host.

When I test the access rule with a packet trace it all passes - but strangely, the server never gets to communicate any further than the initial 220.

Has anyone else experienced this with a pix access rule to an external mail server?

I have this problem too.
0 votes
Correct Answer by g.meerkoetter about 8 years 5 months ago

you probably want to get the smtp application inspection (formerly called fixup) out of your way, since it is rather conservative in what kind of conversation it allows.

Try "no fixup smtp" for versions < 7.0.

In later versions you might be happy

with ESMTP instead of SMTP inspection.

It can be changed in ASDM under "Configuration > Security Police > Service Policy Rules".

Edit the inspection_default class and go to the "Rule Actions > Protocol Inspection" Tab.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
dhananjoy chowdhury Mon, 07/28/2008 - 22:00

Hi,

Do "clear arp" and "clear xlate" and then try to connect.

Also please post the config (sanitized).

mohammed_moustafa Tue, 07/29/2008 - 04:02

Hi James,

I see you have a mail server in your network and need to allow it to access external mail servers. you can't specify the destination of gmail, yahoo or hotmail as this servers have many IP addresses.

Try to make the destination ip address any and port number 25.

secondly: many mail servers like yahoo and hotmail doesn't allow any further communications like hello message only you can telnet and see the starts nothing more. so try to send an e-mail and see if it's recieved.

Please update me with what happens.

B.regards,

M.Moustafa.

jamesl0112 Fri, 08/01/2008 - 06:01

Hi all,

How much downtime does clear xlate cause?

Anyway - I know that Hotmail etc. have lots of IPs, that was just an example as the same issue happened with all mail servers, even if the destination was any.

The weirdest thing is - I set up a POP mailbox in OE on the server and it was able to successfully send mail, even though telnet to the mail server on port 25 came up with the error.

Since telnet to the mail server on port 25 works perfectly from anything that isn't behind this pix, I find that to be a bit odd.

Correct Answer
g.meerkoetter Fri, 08/01/2008 - 06:46

you probably want to get the smtp application inspection (formerly called fixup) out of your way, since it is rather conservative in what kind of conversation it allows.

Try "no fixup smtp" for versions < 7.0.

In later versions you might be happy

with ESMTP instead of SMTP inspection.

It can be changed in ASDM under "Configuration > Security Police > Service Policy Rules".

Edit the inspection_default class and go to the "Rule Actions > Protocol Inspection" Tab.

jamesl0112 Fri, 08/01/2008 - 09:18

Thanks very much!

It is version 7.2, I went with no fixup protocol smtp 25 to test first of all, and was able to telnet to a mail server and get normal responses straight away.

I then switched it back on again, and will check out the inspection rules in ASDM as well.

Thanks again!

Actions

This Discussion