Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1030
Views
0
Helpful
3
Replies

Slow/dropped SMTP connections inbound from internet through PIX

jwitherell
Level 1
Level 1

‎05-24-2002 07:50 PM - edited ‎02-20-2020 10:04 PM

Was wondering if any of you have seen a problem similar to this one. Not sure how long it's been going on. We found it while logging some email traffic, and noticed that a great deal of traffic is from the second and third servers listed in the MX record. This means that the sending SMTP server failed against the finst (internal) server, gave up, and sent it to the second/third listed server...

Here's the topology:

<outside>

|

|

| PIX |

|

|

<inside LAN>

|

|SMTP Gateway|

We use the static/conduit commands to configure the translation and permit inbound access (where x=internet address and y=private address:

static (inside,outside) x.x.x.x y.y.y.y netmask 255.255.255.255 0 0

conduit permit tcp host x.x.x.x eq smtp any

When on the internal net, I can telnet to the internal address, port 25 and things work A-OK. But when I am out on the internet, I telnet to port 25 and it is so slow that it can't even complete the banner, and times out the connection. I tried from the internal net to telnet out to the external address, and the same delay happens there, too.

Judging by the fact that I can telnet to the port internally seems to rule out the server. The logs and monitoring on the SMTP server itself shows that there's plenty of available connections, and it is not overworked in any way.

I think this is an issue with the PIX. However, there is no outbound traffic problems, the internet link itself is not overworked. It is just this one function against this one server. It just happens that is the main inbound company email gateway. Not a good one to have the problem on!

I was originally telling the email people that it is their problem. When they showed me this, I feel certain that it is my problem to fix...

Help fellow PIX firewall bretheren! BTW, this is a PIX-520 with version 6.1(1).

Jim

0 Helpful
3 Replies 3

rgrcommo
Level 1
Level 1

‎05-24-2002 08:16 PM

From the internet can you telnet to port 25 from a unix box? What happens does it say say connection refused or does it just time out any you NEVER connect at all.

Make sure youhave a route to that network also:

you need three things:

1. Static

2. route to network

3. access-list or conduit

make sure you have a default gateway route:

route outside 0.0.0.0 0.0.0.0 x.x.x.x

0 Helpful

jwitherell
Level 1
Level 1
In response to rgrcommo

‎05-26-2002 09:17 AM

Actually, the session is established, however, it is very slow. Most of the time, after the session is established, it stops responding (can't even complete the HELO, for example), then the connection eventually times out.

I have tried this with a Win2000 PC. At this point, I hadn't thought of trying it with a Unix box. Not sure why it would make any difference.

It seems that if any of the items you listed were missing, then it wouldn't work at all. In my case, it works, but painfully slowly.

To reiterate, in a significant percentage of cases, the sending server gives up on this connection, and sends to the second or third server in the MX record (which are all external). Those servers, in turn, begin trying to send to the first server (which is the internal one inside the PIX)).

Again, keep in mind that mail is flowing good enough to keep users from complaining. At this point, it is an efficiency issue that only the email people are calling me about. I've got to get it solved, but the house isn't burning down or anything.

Jim

0 Helpful

bs0000554
Level 1
Level 1

‎06-11-2002 04:49 PM

I´ve problems whit mailguard (fixup smtp) and the ESMTP specialy whit Microsoft Exchange servers. Try to disable mailguard...

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card