Solved: Re: smtp not working-200****

secureIT · ‎07-17-2008

Hi support,

I require your help very badly.

I have a firewall with inside,outside and dmz. I have smtp server in dmz. I have given nat 0 from inside to dmz and vice versa. From outside to dmz smtp server static nat is there.

when i telnet to smtp server on port 25 i am getting the below error..

Pls help me...

220 ****************************************************************************

***************

helo

500 5.3.3 Unrecognized command

regards

Rajesh

a.alekseev · ‎07-17-2008

try do the same from DMZ. Do you have the same error?

View solution in original post

cpembleton · ‎07-17-2008

Your running ESMTP inspection. I've seen many issues with this inspection and some mail servers. (like MS Exchange). Usually, the recommended thing is to disable inspection.

It's easy to disable but you should do your research and fully understand the changes.

Conf t

policy-map global_policy

class inspection_default

no inspect esmtp

KB that was for the old fixup smtp in early versions of pix software.

http://support.microsoft.com/kb/295725/en-us

Cisco doc for ESMTP inspection for 8.0.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_esmtp.html

Hope this helps.

Thanks,

Chad

View solution in original post

cpembleton · ‎07-23-2008

Rajesh,

a.alekseev was trying to tell you that you've got acl's that aren't needed.

By default traffic flowing from a high security interface to low is permitted. Your ACL's applied to both directions on the inside and dmz interfaces are not needed unless you need to block traffic from leaving. And will probably only confuse the issue.

You could also use static to do nonat on the inside<->DMZ traffic. I find it a little cleaner then ACL's.

static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (dmz,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

You might want to rethink your 106 ACL. The 1st and 3rd line is allowing all tcp and udp traffic to those hosts. Only open up what is needed.

You only need port 25 to do SMTP. You should also change your ACL for traffic leaving the dmz to inside to only permit the port and hosts that it needs to communicate with. If you open all traffic your reducing the effectiveness of the DMZ.

Here is an example of a mail server dmz configuration.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

Hope this helps.

Thanks,

Chad

Please rate if helpful.

View solution in original post

a.alekseev · ‎07-17-2008

try do the same from DMZ. Do you have the same error?

secureIT · ‎07-23-2008

Hi, Im unable to telnet to nat ip of the exchange server with port 25.

access-list 105 extended permit tcp any host exch_ip eq smtp

access-group 105 in interface outside

what are the other ports to be opened for accessing smtp from outside ??

regards

Rajesh P

cpembleton · ‎07-23-2008

Rajesh,

a.alekseev was trying to tell you that you've got acl's that aren't needed.

By default traffic flowing from a high security interface to low is permitted. Your ACL's applied to both directions on the inside and dmz interfaces are not needed unless you need to block traffic from leaving. And will probably only confuse the issue.

You could also use static to do nonat on the inside<->DMZ traffic. I find it a little cleaner then ACL's.

static (inside,dmz) 192.168.4.0 192.168.4.0 netmask 255.255.255.0

static (dmz,inside) 10.10.10.0 10.10.10.0 netmask 255.255.255.0

You might want to rethink your 106 ACL. The 1st and 3rd line is allowing all tcp and udp traffic to those hosts. Only open up what is needed.

You only need port 25 to do SMTP. You should also change your ACL for traffic leaving the dmz to inside to only permit the port and hosts that it needs to communicate with. If you open all traffic your reducing the effectiveness of the DMZ.

Here is an example of a mail server dmz configuration.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml

Hope this helps.

Thanks,

Chad

Please rate if helpful.

secureIT · ‎07-25-2008

Hi Chad,

I feel ISP has to allow port 25 for inbound traffic from outside. Because even after giving ip any any it does not come up, where as another static ip is accessible from outside to port no - 443

So i strongly believe its ISP issue..

regards

Rajesh

cpembleton · ‎07-25-2008

Being that you where getting the error before I would say there not.

220 ****************************************************************************

***************

helo

500 5.3.3 Unrecognized command

If they blocked port 25 you would have not gotten that far.

Thanks,

Chad

secureIT · ‎07-26-2008

Hi,

Error 200*** was taken from the local segment and its working at present after disabling inspect esmtp.

But we were getting only a black screen when we telnet from side. So i suspected its an ISP issue. Informed ISP and they also confirmed that its their end problem and opened 25 port. Now from outside we are able to telnet to 25 port.

So, everything is working fine...

Thanks a lot Chad ..

regards

Rajesh P

cpembleton · ‎07-17-2008

Your running ESMTP inspection. I've seen many issues with this inspection and some mail servers. (like MS Exchange). Usually, the recommended thing is to disable inspection.

It's easy to disable but you should do your research and fully understand the changes.

Conf t

policy-map global_policy

class inspection_default

no inspect esmtp

KB that was for the old fixup smtp in early versions of pix software.

http://support.microsoft.com/kb/295725/en-us

Cisco doc for ESMTP inspection for 8.0.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gt_esmtp.html

Hope this helps.

Thanks,

Chad

secureIT · ‎07-18-2008

Hi Chad,

You are damn good in Security, i really appreciate it.

Actually I disabled yesterday itself and found smtp is working now..

But any way, You have given me the ultimate solution..Thanks, thanks a lot..

I have one more doubt. I have enabled ACL permit tcp any to smtp_server eq 25, and applied on ACL group in interface outside.

Apart from my laptop which has Tataindicom datacard, no one else are able to telnet to 25 from outside world..I am able to telnet to 25 (smtp server). Do you think is that could be an ISP issues...

Your reply is precious..

regards

Rajesh

cpembleton · ‎07-18-2008

There is the possibility that your ISP would block port 25 traffic. Usually done if your using a consumer account. If it is a business account it should not be an issue.

Your firewall seems ok since it allowed you to telnet. Although there could another rule causing problems. Feel free to post the config (minus password, also mask part of the begining ip's).

Could also be the settings on your mail server.

Setup a packet capture on the firewall to see if the traffic is actually making it to the firewall. Turn on logging to see if it's getting denied. If it's not debug from your mail server.

ASA Capture:

access-list cap permit tcp any host MAIL_SRVR_EXTERNAL_IP eq 25

capture smtp_cap access-list cap interface outside buffer BUFFER_SIZE_BYTES

View capture from CLI:

show cap smtp_cap

Download Capture .pcap

https://FIREWALL_IP/capture/smtp_cap/pcap

Remove the ACL and Capture when done.

Use wireshark to review the capture.

Hope this helps.

Chad

Please rate posts if helpful!!

secureIT · ‎07-21-2008

Hi Chad,

I am attaching the complete configuration ..

Now the situation is like, from inside as well as from outside "telnet 10.10.10.10 25" is not working. It gives could not open port 25 on the host.

Please help ..

regards

Rajesh P

secureIT · ‎07-21-2008

Hi Chad,

From the ASDM logs, i found connection is getting established between the local host and exchange server during telnetting to port 25.

regards

Rajesh

a.alekseev · ‎07-21-2008

no nat (dmz) 0 access-list 121

no access-group 144 out interface inside

no access-group 133 out interface dmz

sbaddipu · ‎07-17-2008

Quick solution is to take out inspect (e)smtp from the policy applied to that interface. From the docs you would expect esmtp inspection to work, but it may not in some cases. Taking it out is a quick fix.

Satya