Re: PIX 515e and SMTP problems

k.nebroski · ‎07-06-2004

I have a 515e that replace a couple of 1720 routers. I have an inside, outside and dmz setup with the mail server in the dmz. Basically it is all working, but I am having issues with smtp transfers to other (but not all) sites. Cisco TAC has looked at my config and say it is OK. I've herd rumblings about fragmentation problems in the pix. Is there something that I can look at? My syslog shows a connection being built to the destination and then torn down 10 minutes later!

Thanks

ehirsel · ‎07-07-2004

Please post your config here. In particular I am looking to see if the sysopt resetinbound option is turned on. In reading prior pix doc, some smtp servers will use the IDENTD protocol and await a response before continuing the smtp connection. This could be your issue.

Another item that I am interested in is if mail guard is turned on. If so, then sites running the smtp, but not the esmtp protocol will work, and those that you have trouble with, may require ESMTP. Mail Guard only works with the smtp, as far as I know.

I am not aware of any fragmentation issues on the pix.

k.nebroski · ‎07-07-2004

Here is my current running config. I've removed the names and pdm location entries to shorten the text. I don't see any sysopt commands in the config!

Thanks,

ehirsel · ‎07-07-2004

Run the show sysopt command and post the results here. In the meantime, I'll review the config and let you know what I find.

joneschw1 · ‎07-07-2004

Just out of curiosity, did the IP address of your mail server change? If it did, did you change your reverse DNS record. A lot of mail servers refuse the connection if there is no corresponding reverse DNS record, or if the reverse DNS record is different from the host. It is a spam prevention type thing.

k.nebroski · ‎07-07-2004

Nothing on the server or the infrastructure has changed in months, except for removing a couple 1720 routers and replacing them with this pix. Mail to other locations work. I can shut the pix off and plug the same exact cables into the 1720's and everything works fine.

k.nebroski · ‎07-07-2004

Here are the results.

Result of firewall command: "sh sysopt"

sysopt connection timewait

sysopt connection tcpmss 1380

sysopt connection tcpmss minimum 0

no sysopt nodnsalias inbound

no sysopt nodnsalias outbound

no sysopt radius ignore-secret

no sysopt uauth allow-http-cache

no sysopt connection permit-ipsec

no sysopt connection permit-pptp

no sysopt connection permit-l2tp

no sysopt ipsec pl-compatible

ehirsel · ‎07-09-2004

I don't see anything wrong with your config at this point. I did make a mistake in my intital post, resetindbound is a service, not a sysopt. Please run the show service command, and also run the capture command with an acl that is coded like this:

access-list cap01 permit ip any problem-mail-server

access-list cap01 permit ip host problem-mail-server any

Apply the capture to the outside interface. problem-mail-server is the one wherey you are having issues getting connected to.

Let me know what the capture result is.

k.nebroski · ‎07-09-2004

I get nothing back when I issue the "show service" command.

BTW: Cisco TAC is now working on this, and I sent them the capture file last night. It has been escalated to P1, they are supposed to be getting back to me today some time. They also say that they see nothing wrong with my config. Funning thing is that a people from that remote site can email anyone here at mine!