Device cannot send emails

egeorgopoulos · ‎08-09-2012

Hello,

I have a device that connects to the wireless network (WLAN1), with static IP (192.168.1.10), but cannot send emails using several SMTP servers, like smtp.google.com. Is there anything at the router that blocks the SMTP port (25) ? I have appended the configuration of the router below:

router#sh run

Building configuration...

Current configuration : 7770 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname router

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 32768 informational

!

no aaa new-model

!

crypto pki trustpoint TP-self-signed-61071307

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-61071307

revocation-check none

rsakeypair TP-self-signed-61071307

!

crypto pki certificate chain TP-self-signed-61071307

certificate self-signed 01

30820240 308201A9 ….. omitted 63DED965 BF9ED7BF A567E004

quit

dot11 syslog

!

dot11 ssid WLAN1

vlan 1

authentication open

authentication key-management wpa

mbssid guest-mode

wpa-psk ascii 7 0707244543084852320444659

!

no ip source-route

!

ip dhcp excluded-address 192.168.1.254

!

ip dhcp pool pool

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.254

dns-server 195.170.0.1 195.170.2.2

update arp

!

ip cef

no ip bootp server

ip domain name local

ip name-server 192.168.1.254

ip name-server 4.4.4.2

ip name-server 4.4.4.6

ip inspect name firewall tcp

ip inspect name firewall udp

ip inspect name firewall cuseeme

ip inspect name firewall h323

ip inspect name firewall rcmd

ip inspect name firewall realaudio

ip inspect name firewall streamworks

ip inspect name firewall vdolive

ip inspect name firewall sqlnet

ip inspect name firewall tftp

ip inspect name firewall ftp

ip inspect name firewall icmp

ip inspect name firewall sip

ip inspect name firewall esmtp max-data 52428800

ip inspect name firewall fragment maximum 256 timeout 1

ip inspect name firewall netshow

ip inspect name firewall rtsp

ip inspect name firewall pptp

ip inspect name firewall skinny

ip ddns update method no-ip

HTTP

add http://xxxxxx/password%40dynupdate.no-ip.com/nic/update%3FURL.no-ip.org=<h>&myip=<a>

interval maximum 0 0 5 0

!

login block-for 30 attempts 3 within 15

login delay 3

login on-failure log

no ipv6 cef

!

multilink bundle-name authenticated

!

username admin privilege 15 secret 5 $1$xZ7X$IXrtcnY1U7wU32eT1inUW4jY0

!

archive

log config

hidekeys

path flash:config

write-memory

!

ip tcp selective-ack

ip tcp timestamp

!

bridge irb

!

interface ATM0

no ip address

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

pvc 8/35

pppoe-client dial-pool-number 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Dot11Radio0

no ip address

!

encryption vlan 1 mode ciphers aes-ccm

!

broadcast-key vlan 1 change 30

!

ssid WLAN1

!

mbssid

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

no ip address

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Dialer0

ip ddns update hostname URL.no-ip.org

ip ddns update no-ip

ip address negotiated

no ip redirects

no ip unreachables

ip mtu 1492

ip nat outside

ip inspect firewall out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp pap sent-username xxxxxxxxx password 7 11184efc05D52101D1E

ppp ipcp dns request

ppp ipcp route default

!

interface Dialer1

no ip address

ip nbar protocol-discovery

!

interface BVI1

ip address 192.168.1.254 255.255.255.0

ip access-group 102 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.1.10 8080 interface Dialer0 9595

!

logging trap warnings

access-list 1 remark The local LAN.

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 remark Where management can be done from.

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 101 remark Traffic allowed to enter the router from the Internet

access-list 101 deny ip 0.0.0.0 0.255.255.255 any

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip 169.254.0.0 0.0.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.0.2.0 0.0.0.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 198.18.0.0 0.1.255.255 any

access-list 101 deny ip 224.0.0.0 0.15.255.255 any

access-list 101 deny ip any host 255.255.255.255

access-list 101 permit tcp any any eq 1723

access-list 101 permit gre any any

access-list 101 permit tcp any any eq 22

access-list 101 permit tcp any any eq telnet

access-list 101 permit tcp any any eq domain

access-list 101 permit udp any any eq domain

access-list 101 deny icmp any any echo

access-list 101 deny ip any any log

access-list 102 remark Traffic allowed to enter the router from the Ethernet

access-list 102 permit ip any host 192.168.1.254

access-list 102 deny ip any host 192.168.1.255

access-list 102 deny udp any any eq tftp log

access-list 102 deny ip any 0.0.0.0 0.255.255.255 log

access-list 102 deny ip any 10.0.0.0 0.255.255.255 log

access-list 102 deny ip any 127.0.0.0 0.255.255.255 log

access-list 102 deny ip any 169.254.0.0 0.0.255.255 log

access-list 102 deny ip any 172.16.0.0 0.15.255.255 log

access-list 102 deny ip any 192.0.2.0 0.0.0.255 log

access-list 102 deny ip any 192.168.0.0 0.0.255.255 log

access-list 102 deny ip any 198.18.0.0 0.1.255.255 log

access-list 102 deny udp any any eq 135 log

access-list 102 deny tcp any any eq 135 log

access-list 102 deny udp any any eq netbios-ns log

access-list 102 deny udp any any eq netbios-dgm log

access-list 102 deny tcp any any eq 445 log

access-list 102 permit tcp any any eq domain

access-list 102 permit udp any any eq domain

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip any host 255.255.255.255

access-list 102 deny ip any any log

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

bridge 1 route ip

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 2 in

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

Thank you !!

jimmysands73_2 · ‎08-09-2012

I am on the way out the door myself....but I noticed you have an ACL on your interface, and I do not see any lines that allow smtp traffic. At the end of any ACL there is an implicit deny all.

I would take the ACL off to confirm, and if it does work, put the acl back on then modify the config to allow smtp traffic.

You have an ACL 101, but I do not see it on any interface.

Add :

access-list 102 permit tcp any any eq smtp

See:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml

Good luck, let us know if that worked!

egeorgopoulos · ‎08-11-2012

I added the line to the access list, but no luck. The debug shows me the below messages:

*Mar 1 09:12:00.543: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Mar 1 09:12:00.543: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, input feature, TCP Adjust MSS(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Mar 1 09:12:00.547: IP: tableid=0, s=192.168.1.10 (BVI1), d=192.168.1.254 (BVI1), routed via RIB

*Mar 1 09:12:00.547: IP: s=192.168.1.10 (BVI1), d=192.168.1.254 (BVI1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Mar 1 09:12:00.547: IP: s=192.168.1.10 (BVI1), d=192.168.1.254 (BVI1), len 60, output feature, Stateful Inspection(20), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Mar 1 09:12:00.547: IP: s=192.168.1.10 (BVI1), d=192.168.1.254 (BVI1), len 60, rcvd 3

*Mar 1 09:12:00.547: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, stop process pak for forus packet

*Mar 1 09:12:00.547: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, enqueue feature, Firewall(3), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Mar 1 09:12:00.547: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, enqueue feature, TCP Adjust MSS(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Mar 1 09:12:00.567: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Mar 1 09:12:00.567: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, input feature, Virtual Fragment Reassembly(21), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Mar 1 09:12:00.567: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, input feature, Access List(26), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

*Mar 1 09:12:00.567: IP: s=192.168.1.10 (BVI1), d=192.168.1.254, len 60, input feature, Virtual Fragment Reassembly After IPSec Decryption(32), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE

John Blakley · ‎08-11-2012

I would try to remove the acl on the bvi interface and remove the cbac config from the dialer and test again. If this works, put cbac back on and test. If it still works and then the problem returns after putting the acl back on the bvi, then the problem is obviously in the acl...we'll just need to find where it's at.

HTH,

John

HTH, John *** Please rate all useful posts ***

jimmysands73_2 · ‎08-11-2012

I also assumed all other network related functions work, the only problem is with your email right?

I just tried to resolve smtp.google.com, it would not resolve.

No match for domain "SMTP.GOOGLE.COM".

C:\Documents and Settings\jimmy>nslookup

Default Server: cdns2.cox.net
Address: 68.105.28.12

> gmail.smtp.com
Server: cdns2.cox.net
Address: 68.105.28.12

Non-authoritative answer:
Name: gmail.smtp.com
Address: 72.215.225.9

> smtp.google.com
Server: cdns2.cox.net
Address: 68.105.28.12

*** cdns2.cox.net can't find smtp.google.com: Non-existent domain

Perhaps testing with smtp.google.com is not recommended as they use smtp.gmail.com (from what I have read this morning), I do not use that server myself.

http://support.google.com/mail/bin/answer.py?hl=en&answer=13287

C:\Documents and Settings\jimmy>ping smtp.gmail.com

Pinging gmail-smtp-msa.l.google.com [173.194.77.108] with 32 bytes of data:

Reply from 173.194.77.108: bytes=32 time=70ms TTL=47
Reply from 173.194.77.108: bytes=32 time=70ms TTL=47

Ping statistics for 173.194.77.108:
Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 70ms, Maximum = 70ms, Average = 70ms
Control-C
^C
C:\Documents and Settings\jimmy>ping smtp.google.com
Ping request could not find host smtp.google.com. Please check the name and try
again.

So before we say your SMTP isnt working, lets test with a known good server, which you might have already, but want to be sure. And also confirm all other network functions work (can you browse from pc)?

rishabh.changela · ‎11-24-2014

Hi All,

I have the same problem that egeorgopoulos faced.

I have tried all the things except reverse DNS because in my other mail server, there is no reverse DNS setup although its working properly.

But in this particular mail server (we have put backup server in our scenario), We have used, Router and switch only (no firewall).

But from mail server the command,

telnet smtp-gmail-in.l.google.com 25

which is not getting connected....that is the main problem due to this i am not able to send any mail towards outside domain.

When I tried to traceroute command from mail server,

traceroute -n -T -p 25 gmail-smtp-in.l.google.com

it just not go beyond the gateway of my public ip address.

CAN ANYONE HELP ME OUT....

THANKS IN ADVANCE....

egeorgopoulos · ‎08-12-2012

I tried the way you mentioned, but again I couldn't send any email through the device. It's really weird, while this device was tested to other network and was able to send emails successfully. So, there should be something else with the config. Do you want any specific debug log to send you?

johnlloyd_13 · ‎08-12-2012

Hi,

The symptoms you've just described might not be a network/router config related issue. Try to check if your MX server has a reverse DNS entry or if it's blacklisted.

Sent from Cisco Technical Support iPhone App

jimmysands73_2 · ‎08-12-2012

Does all other networking function work?

Are you trying with smtp.google.com as you previously said you were? While I do not use google/gmail, smtp.google.com should never work because it does not resolve.

> smtp.google.com
Server: cdns2.cox.net
Address: 68.105.28.12

*** cdns2.cox.net can't find smtp.google.com: Non-existent domain

No specific debug yet. Temporarily, take the ACL off the bvi interface and test. Dont forget to reapply after your test. If it still does not work, its a client configuration. If it does work, issue is in your acl.

egeorgopoulos · ‎08-12-2012

I tried the SMTP server you said (gmail-smtp-msa.l.google.com), but couldn't send any mails. I may have to check the configuration of the client, by trying other SMTP servers.

jimmysands73_2 · ‎08-12-2012

No, I just said that it appears if you are testing with smtp.google.com, that might be a bad way to test as that name does not resolve. Just want to make sure we understand each other. So first I would verify with a known good smtp server, and if that does not work (and you do have network connectivity) then temporarily disable the ACL.

You can telnet port 25 also by this:

On a DOS box try:

telnet smtp.gmail.com 25

I was able to see this ( I did connect to port 25 however ):

220 mx.google.com ESMTP nv6sm3644843pbc.42

502 5.5.1 Unrecognized command. nv6sm3644843pbc.42

Also you could verify your ISP is not blocking port 25, some do.

Good luck