06-16-2003 01:33 PM - edited 03-09-2019 03:41 AM
Hello,
I am runnning 6.3.1 on my 515 unit. Have had very few problems with the new PIX SW ver.
I just added a second mail server behind the PIX, created the necessary static mappings and conduit entries, but e-mail cannot get through the pix to this new smtp server.
E-mail on the old smtp server works fine (which is configured the same as the new one).
I try telneting to the smtp service from inside the firewall to the new server, and that works fine, thus ruling out that its something wrong with the server.
I try an telnet from outside the firewall, to the Ext. IP for the smtp server, and I get the usual Mail Guard XXXs, but I cannot get past the helo command:
220 *****************************************************0*2******2***********************
*200*****2******0*00
250 vaa.vaa.int Hello [206.55.154.139]
when I type in the:
mail from:email_address
I never receive a response from the server.
When I turn mailguard off, I can telnet in fine to the new smtp server, and receive e-mail fine from outside the firewall.
I have confirmed DNS is correct for this domain, and I can receive e-mail fine to the new smtp server from inside the firewall, but all internet e-mail is failing. Please advise.
Thanks
Jeff
06-16-2003 01:42 PM
Hi Jeff -
Can you post your config pls. Also if you have your mail servers on the inside have you got 'fixup protocol smtp 25' ? From memory certain configs of MS Exchang server require the use of cmds not allowed by MailGuard, in this scenario MailGuard must be disabled using the 'no fixup protocol smtp 25 cmd' Please remember to exclude real IP and Passwords etc.
Thanks -
06-16-2003 01:55 PM
PIX Version 6.3(1)
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol ils 389
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
access-list nonat permit ip x.x.0.0 255.255.0.0 x.x.x.0 255.255.255.0
access-list nonat permit ip x.x.0.0 255.255.0.0 x.x.x.0 255.255.255.0
ip address outside x.x.x.194 255.255.255.224
ip address inside x.x.x.100 255.255.255.0
global (outside) 1 x.x.x.195 netmask 255.255.255.255
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.196 x.x.x.1 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.200 x.x.x.3 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.201 x.x.x.10 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.202 x.x.x.16 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.203 x.x.x.41 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.204 x.x.x.42 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.205 x.x.x.144 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.206 x.x.x.8 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.207 x.x.x.17 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.208 x.x.x.249 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.209 x.x.x.253 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.210 x.x.x.19 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.211 x.x.x.4 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.212 x.x.x.24 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.215 x.x.x.126 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit icmp any any echo-reply
conduit deny ip any host 64.81.37.17
conduit permit tcp host x.x.x.200 eq smtp any
conduit permit tcp host x.x.x.200 eq www any
conduit permit tcp host x.x.x.200 eq https any
conduit permit tcp host x.x.x.201 eq www any
conduit permit tcp host x.x.x.204 eq www any
conduit permit tcp host x.x.x.203 eq www any
conduit permit tcp host x.x.x.202 eq domain any
conduit permit tcp host x.x.x.203 eq ftp host 208.57.14.139
conduit permit udp host x.x.x.205 eq tftp any
conduit permit udp host x.x.x.202 eq domain any
conduit permit tcp host x.x.x.206 eq domain any
conduit permit udp host x.x.x.206 eq domain any
conduit permit tcp host x.x.x.196 eq telnet 65.112.165.128 255.255.255.224
conduit permit tcp host x.x.x.201 eq 8000 any
conduit permit tcp host x.x.x.206 eq ftp any
conduit permit tcp host x.x.x.207 eq www any
conduit permit tcp host x.x.x.208 eq www any
conduit permit tcp host x.x.x.210 eq www any
conduit permit tcp host x.x.x.209 eq smtp any
conduit permit tcp host x.x.x.209 eq www any
conduit permit tcp host x.x.x.200 eq 8098 host 66.37.198.206
conduit permit tcp host x.x.x.211 eq smtp any
conduit permit tcp host x.x.x.212 eq www any
conduit permit tcp host x.x.x.207 eq ftp any
conduit permit tcp host x.x.x.215 eq www any
conduit permit tcp host x.x.x.215 eq https any
conduit permit tcp host x.x.x.215 eq smtp any
route outside 0.0.0.0 0.0.0.0 x.x.x.193 1
my three other smtp servers all work fine.
the new server is the 215->126 static mapping
06-16-2003 02:01 PM
Jeff -
After you created the new static did you do a 'clear xlate' ?
06-16-2003 02:08 PM
I am able to connect to the web services on this server through the same static mapping, so I don't think its a translation issue.
But just in case, I did the clear xlate command, and that did not fix the problem.
thanks
Jeff
06-16-2003 02:14 PM
Okay Jeff,
What happens when you place 'no fixup protocol smtp 25' do you still have the problem ?
06-16-2003 02:29 PM
I have cut and paste from my orginial post:
"When I turn mailguard off, I can telnet in fine to the new smtp server, and receive e-mail fine from outside the firewall."
Just so you know - Mailguard is the FixUp Protocol SMTP 25 command.
Thanks
Jeff
06-16-2003 06:04 PM
One of the things mail guard does is block all responses to the clients, IIRC. So telnetting for diagnostics is tough. mailguard also doesn't play nice with MS's ESMTP implementations, but you provided no clues as to what you are using for an smtp daemon
06-16-2003 07:39 PM
I agree, echo-less telnet is very tough. I am running Exch for all 4 of my mail servers. All the same version, all the same OS and all the same service pack level for both exch and the OS.
Since i can telnet fine from the inside of the pix to the new server, its safe to say the firewall is the cuplrit.
Thanks
Jeff
06-17-2003 12:30 AM
Hi Jeff -
Yes I'm aware that the MailGurd cmd is 'no fixup protocol smtp 25'. The reason I was asking is I also have around 10 Mail servers running with MS Exch with all the OS patch applied on the inside but have the 'no fixup cmd' applied for smtp 25 and all works fine, as I mentioned on my first post, there are known problems with MailGuard and MS Exch setup, I did have a very good document on this but can not find it at the moment to post to you but when I do I'll post it.
Thanks --
06-17-2003 05:05 AM
You CAN run Fixup for SMTP with Exchange. You just can speak any of the extended SMTP commands such as AUTH. Besides, telnetting to port 25 for testing is a great way to go and has nothing to do with whether or not Exchange runs ESMTP or whether the Pix supports ESMTP.
You can't do "mail from:" until you "helo". To correctly "helo" through Fixup for SMTP, you must use the helo command followed by a host name.
helo host.domain.com
mail from: me@me.com
rcpt to: you@yourdomain.com
data
Mail stuff
.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: