Re: Cant send email - PIX 506 version 6.3(5)

mdazadzaki · ‎08-14-2006

hi,

Currently we are using pix version 6.3(5) 506 model for our email server.

Policy rule pretty simple,

object-group service Email-ports tcp

port-object eq 995

port-object eq 456

port-object eq smtp

port-object eq 8188

port-object eq pop3

access-list outside_access_in permit tcp any interface outside object-group Email-ports

no fixup protocol smtp 25

The issue currently we are facing is, we are able recieve emials but we cannot send emials.

any advice?

best regards,

Zaki

m.sir · ‎08-14-2006

This access list permit traffic from outside to inside what is ACL apllied to inside interface???? Why did you turned-off fixup of smtp (no fixup protocol smtp 25 ) try to enable fixup again with command fixup protocol smtp 25

M.

Hope that helps rate if it does

mdazadzaki · ‎08-14-2006

yes this access list permits traffic form the outside to the inside based on the ports that have been configured as below.

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (inside,outside) tcp interface smtp LotusDomino smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8188 LotusDomino https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 465 LotusDomino 465 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 995 LotusDomino 995 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

the business requirement is to allow access from the outside network (any) to access the the inside emial server (lotusdomino) bases on the ports confgured above. As for the inside interface, allow any to any policy.

so far there is no problem accessing the services from outside network.

i read some comments from this forums to disable the no fixup protocol smtp if there is email server sending/recieveing problems. please correct me if i got it all wrong. Many thanks.

kind regards,

Zaki

starlingsolon · ‎08-14-2006

Check your DNS to make sure from the server your can resolve name. NSLOOKUP

mdazadzaki · ‎08-14-2006

my collegue commented based on the config.. he mention that port smtp is not available simply because it has being used for the outbound traffic. that makes it unable to send emials. however please verify the following config and comment.

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

name 192.168.1.28 LotusSametime

name 192.168.1.27 LotusDomino

object-group service BIBDEmail-ports tcp

port-object eq 995

port-object eq 456

port-object eq smtp

port-object eq 8188

access-list outside_access_in permit tcp any interface outside object-group BIBDEmail-ports

global (outside) 1 interface

nat (inside) 1 192.168.1.0 255.255.255.0 0 0

static (inside,outside) tcp interface smtp LotusDomino smtp netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 8188 LotusDomino https netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 465 LotusDomino 465 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 995 LotusDomino 995 netmask 255.255.255.255 0 0

access-group outside_access_in in interface outside

your help is appreciated

Fernando_Meza · ‎08-14-2006

HI ..

Can you please check whether you have an access-list applied to the INSIDE interface .. If you do make sure you are allowing outbound access as well.

I hop eit helps .. please rate it if it does !!!

Wilson Samuel · ‎08-15-2006

Hi Zaki,

Please be informed that, disabling the protocol inspection on PIX for SMTP/ESMTP is NOT advisable.

May I request you to allow the protocol inspection by command fixup protocol smtp 25.

Regards,

Wilson Samuel