Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Outgoing SMTP from mail server blocked

I have a cisco 837 router, it appears that the firewall blocks outgoing smtp traffic from my Mailgate mail server. But will allow direct outgoing smtp mail from client machines. Any ideas

5 REPLIES
Cisco Employee

Re: Outgoing SMTP from mail server blocked

Errr, no, we need more information than that. Can you post the config, making sure to xxx out your public adrdresses and passwords. Do you have an access-list applied outbound? Do you have IOS FW configured, and if so, are you inspecting SMTP, and if so, does the mailgate mail server use ESMTP? Try turning off the "ip inspect smtp" command if it's in your config.

New Member

Re: Outgoing SMTP from mail server blocked

Hello,

Thank you for your asistance. I am new to Cisco routers and IOS. I have included config file below, it is the factory default as I have made no changes. I believe Mailgate uses ESMTP.

Best Regards

Current configuration : 3044 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

no logging buffered

enable secret 5 $1$quRo$CVRFzgXot8wjjmcdFdcxX1

!

username Router password 7 ???????????

username Ravie privilege 15 password 7 ????????????

ip subnet-zero

ip name-server 158.152.1.43

ip name-server 158.152.1.58

!

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

ip audit notify log

ip audit po max-events 100

!

!

!

!

interface Ethernet0

description CRWS Generated text. Please do not delete this:10.0.0.3-255.255.255.0

ip address 10.0.0.3 255.255.255.0 secondary

ip address 10.10.10.1 255.255.255.0

ip nat inside

no ip mroute-cache

hold-queue 100 out

!

interface ATM0

no ip address

no ip mroute-cache

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

dsl power-cutback 0

!

interface Dialer1

ip address negotiated

ip access-group 111 in

ip nat outside

ip inspect myfw out

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname?????????

ppp chap password 7 ?????????????

ppp pap sent-username ???????? password 7 ????????????/

hold-queue 224 in

!

ip nat inside source list 102 interface Dialer1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

!

!

access-list 23 permit 10.0.0.0 0.0.0.255

access-list 23 permit 10.10.10.0 0.0.0.255

access-list 102 permit ip 10.0.0.0 0.0.0.255 any

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit tcp any any eq 1723

access-list 111 permit tcp any any eq 139

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 111 deny ip any any

dialer-list 1 protocol ip permit

!

line con 0

exec-timeout 120 0

no modem enable

stopbits 1

line aux 0

stopbits 1

line vty 0 4

access-class 23 in

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

end

New Member

Re: Outgoing SMTP from mail server blocked

2 questions,

has it ever worked?

Have you checked the TCP/IP for your server machine, to verify

the subnet information is configured correctly?

ok, maybe 3 questions,

Can you post the error log lines which deny the port 25 traaffic for you mail server?

Bruce Davis, CCNA since 2003

New Member

Re: Outgoing SMTP from mail server blocked

Thanks for your help.

No it has never worked, I installed the 837 with the supplied easy installation software.

TCP/IP and subnet info for server OK

The mail is sent out OK with firewall disabled.

If you look at a replies you will see my config file.

I have solved the problem by removing the line

ip inspect name myfw smtp timeout 3600

Will this cause further problems/security issues

Re: Outgoing SMTP from mail server blocked

CBAC can be configured to inspect SMTP but not Extended SMTP (ESMTP). CBAC SMTP inspect does not inspect the ESMTP session or command sequence. Configuring SMTP inspection is not useful for ESMTP, and it can cause problems.

Hope it helps.

Steve

192
Views
0
Helpful
5
Replies
CreatePlease to create content