Re: Mail Guard problem with 6.3.1

jdepies · ‎06-16-2003

Hello,

I am runnning 6.3.1 on my 515 unit. Have had very few problems with the new PIX SW ver.

I just added a second mail server behind the PIX, created the necessary static mappings and conduit entries, but e-mail cannot get through the pix to this new smtp server.

E-mail on the old smtp server works fine (which is configured the same as the new one).

I try telneting to the smtp service from inside the firewall to the new server, and that works fine, thus ruling out that its something wrong with the server.

I try an telnet from outside the firewall, to the Ext. IP for the smtp server, and I get the usual Mail Guard XXXs, but I cannot get past the helo command:

220 *****************************************************0*2******2***********************

*200*****2******0*00

250 vaa.vaa.int Hello [206.55.154.139]

when I type in the:

mail from:email_address

I never receive a response from the server.

When I turn mailguard off, I can telnet in fine to the new smtp server, and receive e-mail fine from outside the firewall.

I have confirmed DNS is correct for this domain, and I can receive e-mail fine to the new smtp server from inside the firewall, but all internet e-mail is failing. Please advise.

Thanks

Jeff

jmia · ‎06-16-2003

Hi Jeff -

Can you post your config pls. Also if you have your mail servers on the inside have you got 'fixup protocol smtp 25' ? From memory certain configs of MS Exchang server require the use of cmds not allowed by MailGuard, in this scenario MailGuard must be disabled using the 'no fixup protocol smtp 25 cmd' Please remember to exclude real IP and Passwords etc.

Thanks -

jdepies · ‎06-16-2003

PIX Version 6.3(1)

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol ils 389

fixup protocol pptp 1723

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

access-list nonat permit ip x.x.0.0 255.255.0.0 x.x.x.0 255.255.255.0

ip address outside x.x.x.194 255.255.255.224

ip address inside x.x.x.100 255.255.255.0

global (outside) 1 x.x.x.195 netmask 255.255.255.255

nat (inside) 0 access-list nonat

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) x.x.x.196 x.x.x.1 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.200 x.x.x.3 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.201 x.x.x.10 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.202 x.x.x.16 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.203 x.x.x.41 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.204 x.x.x.42 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.205 x.x.x.144 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.206 x.x.x.8 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.207 x.x.x.17 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.208 x.x.x.249 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.209 x.x.x.253 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.210 x.x.x.19 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.211 x.x.x.4 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.212 x.x.x.24 netmask 255.255.255.255 0 0

static (inside,outside) x.x.x.215 x.x.x.126 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit icmp any any echo-reply

conduit deny ip any host 64.81.37.17

conduit permit tcp host x.x.x.200 eq smtp any

conduit permit tcp host x.x.x.200 eq www any

conduit permit tcp host x.x.x.200 eq https any

conduit permit tcp host x.x.x.201 eq www any

conduit permit tcp host x.x.x.204 eq www any

conduit permit tcp host x.x.x.203 eq www any

conduit permit tcp host x.x.x.202 eq domain any

conduit permit tcp host x.x.x.203 eq ftp host 208.57.14.139

conduit permit udp host x.x.x.205 eq tftp any

conduit permit udp host x.x.x.202 eq domain any

conduit permit tcp host x.x.x.206 eq domain any

conduit permit udp host x.x.x.206 eq domain any

conduit permit tcp host x.x.x.196 eq telnet 65.112.165.128 255.255.255.224

conduit permit tcp host x.x.x.201 eq 8000 any

conduit permit tcp host x.x.x.206 eq ftp any

conduit permit tcp host x.x.x.207 eq www any

conduit permit tcp host x.x.x.208 eq www any

conduit permit tcp host x.x.x.210 eq www any

conduit permit tcp host x.x.x.209 eq smtp any

conduit permit tcp host x.x.x.209 eq www any

conduit permit tcp host x.x.x.200 eq 8098 host 66.37.198.206

conduit permit tcp host x.x.x.211 eq smtp any

conduit permit tcp host x.x.x.212 eq www any

conduit permit tcp host x.x.x.207 eq ftp any

conduit permit tcp host x.x.x.215 eq www any

conduit permit tcp host x.x.x.215 eq https any

conduit permit tcp host x.x.x.215 eq smtp any

route outside 0.0.0.0 0.0.0.0 x.x.x.193 1

my three other smtp servers all work fine.

the new server is the 215->126 static mapping

jmia · ‎06-16-2003

Jeff -

After you created the new static did you do a 'clear xlate' ?

jdepies · ‎06-16-2003

I am able to connect to the web services on this server through the same static mapping, so I don't think its a translation issue.

But just in case, I did the clear xlate command, and that did not fix the problem.

thanks

Jeff

jmia · ‎06-16-2003

Okay Jeff,

What happens when you place 'no fixup protocol smtp 25' do you still have the problem ?

jdepies · ‎06-16-2003

I have cut and paste from my orginial post:

"When I turn mailguard off, I can telnet in fine to the new smtp server, and receive e-mail fine from outside the firewall."

Just so you know - Mailguard is the FixUp Protocol SMTP 25 command.

Thanks

Jeff

mostiguy · ‎06-16-2003

One of the things mail guard does is block all responses to the clients, IIRC. So telnetting for diagnostics is tough. mailguard also doesn't play nice with MS's ESMTP implementations, but you provided no clues as to what you are using for an smtp daemon

jdepies · ‎06-16-2003

I agree, echo-less telnet is very tough. I am running Exch for all 4 of my mail servers. All the same version, all the same OS and all the same service pack level for both exch and the OS.

Since i can telnet fine from the inside of the pix to the new server, its safe to say the firewall is the cuplrit.

Thanks

Jeff

jmia · ‎06-17-2003

Hi Jeff -

Yes I'm aware that the MailGurd cmd is 'no fixup protocol smtp 25'. The reason I was asking is I also have around 10 Mail servers running with MS Exch with all the OS patch applied on the inside but have the 'no fixup cmd' applied for smtp 25 and all works fine, as I mentioned on my first post, there are known problems with MailGuard and MS Exch setup, I did have a very good document on this but can not find it at the moment to post to you but when I do I'll post it.

Thanks --

shannong · ‎06-17-2003

You CAN run Fixup for SMTP with Exchange. You just can speak any of the extended SMTP commands such as AUTH. Besides, telnetting to port 25 for testing is a great way to go and has nothing to do with whether or not Exchange runs ESMTP or whether the Pix supports ESMTP.

You can't do "mail from:" until you "helo". To correctly "helo" through Fixup for SMTP, you must use the helo command followed by a host name.

helo host.domain.com

mail from: me@me.com

rcpt to: you@yourdomain.com

data

Mail stuff

.