Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
0
Helpful
10
Replies

PIX 515 and Exchange Domain Resolution problem

ciscows
Level 1
Level 1

‎01-18-2003 07:21 PM - edited ‎02-20-2020 10:30 PM

Hello,

When I take the static assignment out of the PIX for my Exchange server, I am no longer able to send mail to AOL.com. I do not have any blocks or any URL filtering. As soon as I assign the Exchange server an address that is NOT in the static list, I am able resend the mail to AOL.com. This is not the only domain, but is the most common one that is causing the most issue.

Next to opening all ports for that (inside,outside) address, I am kinda left scratching my head. Any suggestions?

thanks,

jim

0 Helpful
10 Replies 10

gfullage
Cisco Employee
Cisco Employee

‎01-19-2003 07:49 PM

Your SMTP server may be listed as a mail relay and be blacklisted by certain sites that subscribe to lists like relays.osirusoft.com. Go here (http://relays.osirusoft.com/cgi-bin/rbcheck.cgi), type in your server's IP address or domain name and see if you're blacklisted. If you are, then you need to fix your SMTP server first to stop it being a relay agent, then email retest@relays.osirusoft.com to have your server retested. If AOL subscribes to these lists, the only way to get off them is to fix up your server.

You should be able to tell if being blacklisted is the cause of the problem by checking the logs on your SMTP server, you'll have replies similar to the following:

A mail message was not sent due to a protocol error.

550 5.7.1 Mail from x.x.x.x refused by blackhole site relays.osirusoft.com

The message that caused this notification was:

0 Helpful

ciscows
Level 1
Level 1
In response to gfullage

‎01-20-2003 05:15 AM

I have checked domain name and server IP and we are not listed on any of the lists. I did however notice that my original post is off a bit. If the IP address of the mail server is in the PIX I can not send mail. Once I reassign the mail server and IP address that is not static in the PIX, I can manually resend mail and it will send the mail.

Thanks, and sorry for the mistake in the original post.

Jim

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to ciscows

‎01-21-2003 04:43 PM

Still not sure what you mean by "Once I reassign the mail server and IP address that is not static in the PIX", reassign to what?

Are you aying that if the mail server has a valid global IP address and sits outside the PIX then everthing works fine. But if you then put the mail server inside the PIX and put the same global IP address in the PIX as a static, it no longer works?

If that's true, then you need to clear the ARP table on the router sitting outside the PIX, since it will still have an ARP entry for the global IP address pointing to the MAC address of the mail server, not the MAC address of the PIX.

0 Helpful

ciscows
Level 1
Level 1
In response to gfullage

‎01-22-2003 07:16 PM

I have a static address in the PIX (inside, outside) for the mail server. Using the static IP in the PIX the mail server cannot send mail to certain mail servers in certain domains, AOL being one. When I give the mail server a different internal IP address, it then uses one of the public IP's I have set up in the global pool (this is a state school which has been given approxim 500 ips), I can then force a resend or retry on the mail server to send mail to the "problem" mail servers an it works. Maybe a better way to say this is that using the global pool public iP's I have no problem with the mail server. As soon as I put the static statement back in the PIX for the mail server, I start having problems. I have a TAC case on it, but they are stumped right now (D548392). I will try your suggestion and see if it resolves the problem.

0 Helpful

ROBERT CROOKS
Level 1
Level 1

‎01-22-2003 08:01 AM

I have a similar setup (I think) as you.

The setup for me was relativly simple. I dedicated one IP from the range given by my ISP to the mx record of my domain (i.e mail.companyname.com). Then I created an access-list from the outside interface to the inside interface on port 25, and created a static translation rule for that public IP to the private one.

I have URL filtering on, but that doesn't affect port 25 so it is not a problem.

The only way that I can see that your Exchange server is not sending to AOL or others is that it thinks that the address for AOL is on an interface other than the Outside. This could happen if you have public IPs configured on your internal interfaces that match the real ones and your mask is too small (8/16 bit).

Otherwise, I would think that your Exchange is resolving the address for AOL to a dud IP.

I have other thoughts about you problem, but would like to see what your other symptoms are.

Robert

0 Helpful

ciscows
Level 1
Level 1
In response to ROBERT CROOKS

‎01-22-2003 07:27 PM

I have gone so far as to open all TCP ports on that ip address just to do this simple test:

telnet spencer.uscourts.gov 25 which is another domain I can't seem to get to. Its not just the static (outside,inside) address for the mail server, its EVERY static (outside, inside) IP address for any server or admin PC that cannot perform this simple query to the troubled domain. As soon as I give the mail server a different internal IP address and thus allowing it to grab an external IP from the global pool, it works with no problem...sending mail, testing the telnet over port 25, etc. I am just not sure what else to do at this point. I have opened a TAC case but as it stands now, they don't even know what the problem is. They have looked at my config and syslog files but they don't see anything outstanding from either data. Maybe it is as simple as the ARP cache on the router is causing problems...hmm

thanks for your comments,

Jim

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to ciscows

‎01-23-2003 04:26 PM

What's the TAC case number? I'll have a look.

0 Helpful

ciscows
Level 1
Level 1
In response to gfullage

‎01-23-2003 06:40 PM

D548392

I have sent syslogs and configs in. If you would like direct access, I do have permission to allow support personnel into the PIX. Email me if you so wish to do so, jwilson@cgtcollege.org

Thanks for all your help so far,

Jim

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to ciscows

‎01-27-2003 05:19 PM

Sorry for the delay in responding (long-weekend in Australia this weekend). Looking at the case notes it looks like you discovered you are on some email deny lists and since changing your email servers address you're OK now. Just wanted to verify?

0 Helpful

ciscows
Level 1
Level 1
In response to gfullage

‎01-31-2003 11:47 AM

We were not showing up on any of the lists but I did discover that a couple savvy mail admins at AOL and US Courts were blocking the entire range of public static IP's that I had. I "dropped" down to a lower block and it worked like a champ. I also have made sure that the Exchange server is not performing any relaying. This should keep us off any kind of "list".

Thanks for your help and time in this problem, I really appreciate it.

Jim

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card