When I take the static assignment out of the PIX for my Exchange server, I am no longer able to send mail to AOL.com. I do not have any blocks or any URL filtering. As soon as I assign the Exchange server an address that is NOT in the static list, I am able resend the mail to AOL.com. This is not the only domain, but is the most common one that is causing the most issue.
Next to opening all ports for that (inside,outside) address, I am kinda left scratching my head. Any suggestions?
Your SMTP server may be listed as a mail relay and be blacklisted by certain sites that subscribe to lists like relays.osirusoft.com. Go here (http://relays.osirusoft.com/cgi-bin/rbcheck.cgi), type in your server's IP address or domain name and see if you're blacklisted. If you are, then you need to fix your SMTP server first to stop it being a relay agent, then email firstname.lastname@example.org to have your server retested. If AOL subscribes to these lists, the only way to get off them is to fix up your server.
You should be able to tell if being blacklisted is the cause of the problem by checking the logs on your SMTP server, you'll have replies similar to the following:
A mail message was not sent due to a protocol error.
550 5.7.1 Mail from x.x.x.x refused by blackhole site relays.osirusoft.com
The message that caused this notification was:
I have checked domain name and server IP and we are not listed on any of the lists. I did however notice that my original post is off a bit. If the IP address of the mail server is in the PIX I can not send mail. Once I reassign the mail server and IP address that is not static in the PIX, I can manually resend mail and it will send the mail.
Thanks, and sorry for the mistake in the original post.
Still not sure what you mean by "Once I reassign the mail server and IP address that is not static in the PIX", reassign to what?
Are you aying that if the mail server has a valid global IP address and sits outside the PIX then everthing works fine. But if you then put the mail server inside the PIX and put the same global IP address in the PIX as a static, it no longer works?
If that's true, then you need to clear the ARP table on the router sitting outside the PIX, since it will still have an ARP entry for the global IP address pointing to the MAC address of the mail server, not the MAC address of the PIX.
I have a static address in the PIX (inside, outside) for the mail server. Using the static IP in the PIX the mail server cannot send mail to certain mail servers in certain domains, AOL being one. When I give the mail server a different internal IP address, it then uses one of the public IP's I have set up in the global pool (this is a state school which has been given approxim 500 ips), I can then force a resend or retry on the mail server to send mail to the "problem" mail servers an it works. Maybe a better way to say this is that using the global pool public iP's I have no problem with the mail server. As soon as I put the static statement back in the PIX for the mail server, I start having problems. I have a TAC case on it, but they are stumped right now (D548392). I will try your suggestion and see if it resolves the problem.
I have a similar setup (I think) as you.
The setup for me was relativly simple. I dedicated one IP from the range given by my ISP to the mx record of my domain (i.e mail.companyname.com). Then I created an access-list from the outside interface to the inside interface on port 25, and created a static translation rule for that public IP to the private one.
I have URL filtering on, but that doesn't affect port 25 so it is not a problem.
The only way that I can see that your Exchange server is not sending to AOL or others is that it thinks that the address for AOL is on an interface other than the Outside. This could happen if you have public IPs configured on your internal interfaces that match the real ones and your mask is too small (8/16 bit).
Otherwise, I would think that your Exchange is resolving the address for AOL to a dud IP.
I have other thoughts about you problem, but would like to see what your other symptoms are.
I have gone so far as to open all TCP ports on that ip address just to do this simple test:
telnet spencer.uscourts.gov 25 which is another domain I can't seem to get to. Its not just the static (outside,inside) address for the mail server, its EVERY static (outside, inside) IP address for any server or admin PC that cannot perform this simple query to the troubled domain. As soon as I give the mail server a different internal IP address and thus allowing it to grab an external IP from the global pool, it works with no problem...sending mail, testing the telnet over port 25, etc. I am just not sure what else to do at this point. I have opened a TAC case but as it stands now, they don't even know what the problem is. They have looked at my config and syslog files but they don't see anything outstanding from either data. Maybe it is as simple as the ARP cache on the router is causing problems...hmm
thanks for your comments,
I have sent syslogs and configs in. If you would like direct access, I do have permission to allow support personnel into the PIX. Email me if you so wish to do so, email@example.com
Thanks for all your help so far,
Sorry for the delay in responding (long-weekend in Australia this weekend). Looking at the case notes it looks like you discovered you are on some email deny lists and since changing your email servers address you're OK now. Just wanted to verify?
We were not showing up on any of the lists but I did discover that a couple savvy mail admins at AOL and US Courts were blocking the entire range of public static IP's that I had. I "dropped" down to a lower block and it worked like a champ. I also have made sure that the Exchange server is not performing any relaying. This should keep us off any kind of "list".
Thanks for your help and time in this problem, I really appreciate it.