When trying to send an e-mail from the SMTP server on the DMZ to the mail server on the inside network, the mail is not delivered. Is this due to the fact that the firewall can not route the message to the mail server? If so how can I get around this problem
AFAIK since DMZ is considered to be a low secured zone when compared to Inside network you need to allow/permit the SMTP traffic from DMZ to flow to inside network.
But its the other way around when you think off from Inside to DMZ in which you dont need to enable or open required ports.
How is the MX record resolved for the inside mail servers domain. ?
Where is the DNS server located?
Check out this URL for DNS rewrite functionality, which may be helpful in your case
The MX record is resolved by using a DNS server outside of the internal network. I read the information from the link that you provided, however I don't think it explains a situation where the host computer on the dmz is trying to route e-mail to a mail server that resides on the inside interface.
Thanks for your help so far,
As pointed out by the previous poster, is there proper access configured in your firewall to allow the smtp connection from the server on the DMZ to the mail server on the inside network.?
If you could provide the firewall config snapshot ( after removing the sensitive informations..public ip.etc), we would be able to have a look and help you to correct any problems in the configuration. Provide ip address details on the involved servers also.
You can quickly check whether SMTP connection to inside server is allowed from server on DMZ as follows.
On the server located in DMZ, initiate a telnet connection to the inside server ip on port 25.( telnet
You are missing a few things, NAT, conduit and alias from your configuration.
You need to define a NAT rule. Conduit to allow the traffic between the servers. Alias configured to do DNS doctoring as the DMZ server tries to communicate with the inside server using the global IP address.
Can you configure the following and try.
static (inside, dmz) 172.17.17.11 172.17.17.11 netmask 255.255.255.255
conduit permit tcp host 172.17.17.11 host 172.17.16.10 eq smtp
alias (dmz) 172.17.16.10 220.127.116.11 255.255.255.255
I tried the configuration changes that you suggested. However I think the correct address for the host on the dmz should have been 172.17.17.111 and i think the conduit command should have the host addresses reversed. I tried it both ways and I still could not telnet to the mail server (172.17.16.10)using port 25 from the host on the dmz. Here is a copy of the new config with the changes that you recommended.