A weird one! Mail

[Dyehouse1]

I have setup the PIX and new 1601 router and I 'thought' everything was working - oh boy was I wrong.

I have a mail relaying problem. My Intranet server has a small form that sends a mail message to the Chef when people order food - so far sounds easy. This Intranet server also acts as the VPN RAS server and as such has some special mappings in the firewall. Externally this sever is 212.240.1XX.23. However when people send out this form from the Intranet the server seems to think it can't connect to the Internal mail server OR to the external mapping to the mail server on 212.240.1XX.18 and instead uses the backup relays setup by the ISP. This means that the server sends the message out on the VPN address (212.240.1XX.23) and then it messes around on the Internet for a while before coming in about 5 hours later - obviously too late for lunchtime and food orders!

Just to confirm - the IIS on the Intranet is setup to use the internal mail server as Vrtual SMTP server. Secondly we have other internal IIS servers that still send mail fine so thats why I think this is a firewall thing as its going out on its external mapping.

Here is my current config:

Building configuration...
: Saved
:
PIX Version 6.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 dmz security50
enable password aqUd5fpvTbYGCrNf encrypted
passwd aqUd5fpvTbYGCrNf encrypted
hostname mailgate
domain-name pas.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list outside_access_in permit tcp any host 212.240.1XX.23 eq 1723
access-list outside_access_in permit tcp any host 212.240.1XX.19 eq 443
access-list outside_access_in permit tcp any host 212.240.1XX.18 eq pop3
access-list outside_access_in permit tcp any host 212.240.1XX.18 eq smtp
access-list outside_access_in permit tcp any host 212.240.1XX.18 eq 143
access-list outside_access_in permit tcp any host 212.240.1XX.20 eq www
access-list outside_access_in permit tcp any host 212.240.1XX.19 eq ftp
access-list outside_access_in permit tcp any host 212.240.1XX.22 eq www
access-list outside_access_in permit tcp any host 212.240.1XX.22 eq 98
access-list outside_access_in permit gre any host 212.240.1XX.23
access-list dmz_access_in permit tcp host 192.168.1.2 host 10.99.99.12 eq 1433
access-list dmz_access_in permit tcp host 192.168.1.2 eq smtp host 10.99.99.7 eq smtp
access-list dmz_access_in permit tcp host 192.168.1.4 eq smtp host 10.99.99.7 eq smtp
access-list dmz_access_in permit tcp host 192.168.1.5 eq smtp host 10.99.99.7 eq smtp
access-list inside_access_in permit ip any any
pager lines 24
logging monitor notifications
interface ethernet0 auto
interface ethernet1 auto
interface ethernet2 auto
icmp permit any outside
icmp permit any inside
mtu outside 1500
mtu inside 1500
mtu dmz 1500
ip address outside 212.240.1XX.18 255.255.255.240
ip address inside 10.3.3.4 255.0.0.0
ip address dmz 192.168.1.1 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
pdm location 10.250.250.250 255.255.255.255 inside
pdm location 10.250.250.251 255.255.255.255 inside
pdm location 10.99.99.7 255.255.255.255 inside
pdm location 10.99.99.3 255.255.255.255 inside
pdm location 192.168.1.2 255.255.255.255 dmz
pdm location 192.168.1.3 255.255.255.255 dmz
pdm location 192.168.1.5 255.255.255.255 dmz
pdm location 192.168.1.4 255.255.255.255 dmz
pdm location 10.99.99.12 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
global (dmz) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp 212.240.1XX.23 1723 10.99.99.3 1723 netmask 255.255.255.255 0 0
static (inside,outside) tcp 212.240.1XX.19 443 10.99.99.7 443 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pop3 10.99.99.7 pop3 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 143 10.99.99.7 143 netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 10.99.99.7 smtp netmask 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.1XX.20

http://www 192.168.1.2

http://www netmask

255.255.255.255 0 0
static (dmz,outside) tcp 212.240.1XX.19 ftp 192.168.1.3 ftp netmask 255.255.255.255 0 0
static (dmz,outside) tcp 212.240.1XX.22

http://www 192.168.1.4

http://www netmask

255.255.255.255 0 0
static (dmz,outside) tcp 212.240.1XX.22 98 192.168.1.5 98 netmask 255.255.255.255 0 0
static (inside,dmz) 10.99.99.12 10.99.99.12 netmask 255.255.255.255 0 0
static (inside,outside) 212.240.1XX.23 10.99.99.3 netmask 255.255.255.255 0 0
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group dmz_access_in in interface dmz
route outside 0.0.0.0 0.0.0.0 212.240.1XX.17 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:15:00 absolute uauth 0:05:00 inactivity
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
http server enable
http 10.0.0.0 255.0.0.0 inside
http 10.250.250.250 255.255.255.255 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 10.250.250.250 /PIX
floodguard enable
no sysopt route dnat
telnet 10.250.250.250 255.255.255.255 inside
telnet 10.250.250.251 255.255.255.255 inside
telnet timeout 10
ssh timeout 5
dhcpd lease 3600
dhcpd ping_timeout 750
terminal width 80
Cryptochecksum:XXX
: end
[OK]

Here is the mail header from one of the wandering mails:

Microsoft Mail Internet Headers Version 2.0
Received: from relay-2.mail.demon.net ([194.217.242.10]) by mrrush.uk.pas.local with Microsoft SMTPSVC(5.0.2195.2966);
Thu, 13 Feb 2003 22:49:49 +0000
Received: from vpn.pas.com ([212.240.1XX.23])
by relay-2.mail.demon.net id ac0225150; 13 Feb 2003 12:09 GMT
Received: from mail pickup service by mrdaydream.uk.parkairsystems.local with Microsoft SMTPSVC;
Thu, 13 Feb 2003 12:09:12 +0000
From: webmaster@uk.pas.com
MMDF-Warning: Parse error in original version of preceding line at relay-2.mail.demon.net
To: W.Dyehouse@uk.pas.com
MMDF-Warning: Parse error in original version of preceding line at relay-2.mail.demon.net
Subject: Intranet Sandwich Order
Date: Thu, 13 Feb 2003 12:09:12 -0000
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_004C_01C2D358.B88BFD00"
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200
Message-ID: <MRDAYDREAMyj9v1OYZp00000014@mrdaydream.uk.pas.local>
X-OriginalArrivalTime: 13 Feb 2003 12:09:12.0859 (UTC) FILETIME=[B8AAF6B0:01C2D358]
Return-Path: webmaster@uk.pas.com

------=_NextPart_000_004C_01C2D358.B88BFD00
Content-Type: text/plain;
charset=&quot;iso-8859-1&quot;
Content-Transfer-Encoding: 7bit

------=_NextPart_000_004C_01C2D358.B88BFD00
Content-Type: text/html;
charset=&quot;iso-8859-1&quot;
Content-Transfer-Encoding: quoted-printable


------=_NextPart_000_004C_01C2D358.B88BFD00--

 

[yizhar]

HI.

You can solve such issues at the application/OS level.
Go to the IIS server, and configure the SMTP server to send emails to your internal domain using the specific internal IP address of your mail server, instead of using DNS.

If this does not help, please describe in more details your DNS network configuration.
You can also solve this by tweaking your internal DNS server.

Bye
Yizhar Hurwitz

http://come.to/yizhar

http://teachers.sivan.co.il/yizhar

 

[Dyehouse1]

sorted - many thanks Yizhar.

Inside the Virtual SMTP you can set a smart server - setting this to the internal mail server allowed it to do the hard work not the IIS server.

 

[haknwak]

Dyehouse1 - Wake Up Call!!
I have to say - you have come very close to giving away the keys to your kingdom here. You took the time to mask part of your IP which is good. BUT you gave a fairly easy range or 100 networks to scan. Given that along with your access-lists showing what services are running on which addresses, it would be a simple task to run a couple scans and identify your exact network.

First off you have told us that your public address is in the 212.240.1XX.0 /17 (a measly 100 networks to scan)network, your firewall outside address is .18, your mail server is .23 and you have FTP running at .19, and web services on .20 and .22.

By scanning 500 addresses -
(212.240.100-199.18, .19, .20, .22, .23,)
your devices could easily be located. Not to mention the process of deduction is made easier because you told us that there will (likely be) only be 1 network where there is a firewall, mail, ftp and web services running on the given addresses.

One could run nmap, or other port scanner, for a few hours and come up with the right combination to locate you precisely.

You are in the UK and probably represent a food service company or a corporate/govt entity large enough to warrant electronic food order and processing.

Your two passwords are identical aqUd5fpvTbYGCrNf (this can be reverse engineered into clear text easily.)

The name of your firewall is mailgate

Your domain name (or part of it) is pas.com.

You may have given us hints as to your company's work by your name dyehouse1

Please don't be insulted - I just want to show people how easy it would be for a cracker to deduce information from a discussion board such as this. I may have been wrong on some parts, but a determined cracker would easily come up with your devices and find a way in.

I won't go into the cracker's ability to make a rudimentary but accurate drawing of your inside network complete with addresses and services. We know your static mappings and the services running on them. I could, fairly quickly, produce an accurate drawing of your internal network as it pertains to your firewall.

At least limit them to a full class B by masking all three digits of your network - I prefer to mask all three leading octets - but that's just me.

And if you purposely modified your address space, masks, domain name and password info here, kudos to you.

Please take care to protect yourself!!

Remember that Tek-Tips claims to be the largest technical discussion board on the net and not everyone who visits here will be &quot;good guys&quot;!!
&quot;If you lived here, you'd be home by now!&quot;

George Carlin

 

[Dyehouse1]

OK just to blow you out the water:

The addresses you mention are wrong.
My company has NOTHING to do with food.
My domain name is not what you gussed at.

As far as hackers go - anyone can find out a mailserver address using nslookup or mail headers. As for FTP and

http://WWW they

are obvious domain names. External admin on the firewall is disabled. So unless someone from inside the company is gonna hack me (and they would have to do that from my PC) then I think I am pretty safe thanks for your concern but I am not stupid.

PS. Just in case you were concerned about my internal users my office door is locked whenever I leave it so they would have to be a locksmith as well as a master hacker.

 

[haknwak]

Dyehouse1 - I guess you DID take it personal - that was not the intention. Sorry for that even though, as I said, it was not the intention.

&quot;If you lived here, you'd be home by now!&quot;

George Carlin