topic Re: cannot pass smtp - 25 in Network Security

cannot pass smtp - 25

mjackson — Mon, 11 Mar 2019 13:19:13 GMT

515E

I am in the process of setting up an in house mail server. In so I have setup smtp, pop3, and imap to pass to my mail server.

for some reason when I do the telnet test for 25 from an outside location, the 515E returns the 220 and not my mail server. pop3 and imap seem to work fine

any ideas what could be blocking my 25

thanks

mark

Re: cannot pass smtp - 25

a.alekseev — Wed, 23 Jul 2008 18:56:37 GMT

what software version of the PIX do you have?

Re: cannot pass smtp - 25

Alan Huseyin Kayahan — Wed, 23 Jul 2008 19:07:01 GMT

Hello Mark,

"the 515E returns the 220 and not my mail server"

I dont know a reply type of "220" from PIX firewall. If you telnet 25 to the IP and get any kind of screen (either blank or some output) other than "Could not open connection to the host" Connect failed or timeout, that means the port is open.

By the way, exchange server reply to a telnet to port 25 starts with 220. Here is one of them

"220 xxxx.xxxx.xxx Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready at

Wed, 23 Jul 2008 23:09:19 +0300 "

Or sometimes just 220 and some ASCII chars like ######## or so.

If you post your sanitized config, we would help better.

Also make sure that you configued your SMTP Connector in Exchange server

Regards

Re: cannot pass smtp - 25

paulc — Wed, 23 Jul 2008 19:31:45 GMT

You probably also want to turnoff fixup for smtp. We run a 515e and E2K and have it off. It's my understanding that MS has a problem with that.

Re: cannot pass smtp - 25

mjackson — Wed, 23 Jul 2008 19:39:46 GMT

Guessing old, I inherited this when I started this job.

version 6.3(5) does that sound right?

Re: cannot pass smtp - 25

mjackson — Wed, 23 Jul 2008 19:43:20 GMT

when I do the telnet 25 from an outside location I get one of 2 returns

220 ####### - I am told this is the 515e responding

or nothing

Re: cannot pass smtp - 25

a.alekseev — Wed, 23 Jul 2008 19:48:41 GMT

In this case I advise you to turn off smtp fixup.

Re: cannot pass smtp - 25

Alan Huseyin Kayahan — Thu, 24 Jul 2008 00:04:33 GMT

Mark,

"220 ####### - I am told this is the 515e responding"

Inspection is replacing the starttls echo-reply with ## sometimes ** . Most mail servers work in this case, but your mail server may not be able to establish connection with some mail servers.

Following are the necessary commands to correct that

policy-map type inspect esmtp esmtp_map

parameters

no mask-banner

policy-map global_policy

class inspection_default

inspect esmtp esmtp_map

But this is available in code 7.2 or higher. I dont know an equivalant for 6.3 code and I assume it does not exist.

Better upgrade your IOS or remove the fixup as suggested.

Regards