Re: double SMTP translation

csulok · ‎11-28-2003

Hi!

On the following picture you can see the actual constellation of the mail publishing.

http://www.olivetti.hu/csulok/smtp.jpg

The smtp fixup is switched off on pix.

If I telnet from outside LAN onto the port 25 of IP 172.16.1.1 I get the Exchange prompt and with the SMTP commands I'm able to send mail for myself.

But any other mail server is not able to send a mail for the Exchange2000 server. The outside IP address is registered as an MX record at the ISP.

If I remove the pix and make the ISA the only firewall (I piblish the 10.0.0.1 port 25 to 172.16.1.1) the the mail traffic goes well.

So the interesting thing is: telnet connection can be estabilished with the exchange 2000 through the pix but something beside this is wrong...

What can be the problem with this double address publishing/translation?

alan.morris · ‎12-01-2003

Not sure if I can help but we also use a pix using PAT on the outside of an ISA server configured in integrated mode.

I tried looking at your picture but couldn't access it. If you can provide further detail will see if we can help.

Rgds,

gsebk · ‎12-01-2003

Sorry, the correct address is:

http://www.getronics.hu/csulok/smtp.jpg

Bye!

Csülök

alan.morris · ‎12-02-2003

I would suspect ISA in this case, What is the error that is generated when the error occurs. Have you looked at the exchange smtp virtual server log? Have you looked in the ISA server logs?

We run the pix with fixup smtp - although I believe that this disables ESMTP.

kholford · ‎12-02-2003

I'm having a similar problem, but not with Exchange. I'm trying to replace a Raptor Firewall with a PIX. As soon as I put the PIX in, Web browsing works ok, but incoming and outgoing Internet e-mail does not. (We are using GroupWise.) The errors on my Mail server show the server attempting to send out the message but then says "Host down at microsoft.com" or whatever site you are trying to send to. The Mail server does not even receive any incoming mail.

When you say that your ISP has an MX record for your outside address, do you mean the outside interface of your PIX or the outside address for your Mail server?

gsebk · ‎12-02-2003

Of course the outside address of the PIX.

Meanwhile the problem has been solved. I don't know why it works now but it works. I have reentered the whole config on the PIX and it works. Befor this I used the clear xlate but didn't help.

Anyway there were not any error log on the Exchange server, simple the mails from outside couldn't get in through the PIX. From inside the mails could get through the PIX.

For the Exchange I can tell you that it does not work with smtp fixup - the Microsoft's recommendation tells that it should be disabled. If you enable it, the answer for a simple HELLO smtp command will be "500 5.3.3 Unrecognized command" that is ridiculous because the PIX' smtp fixup handles this basic command. Anyway if you enter the MAIL FROM command (telnetting the PIX outside port 25) tha answer is "Recognized command but say HELLO first" or something like that.

kholford · ‎12-02-2003

I think I just found my mistake. I forgot to change the default gateway on my mail server when I put in the new PIX. Dumb, dumb, dumb...