Exchange SMTP Problems

[TheStressFactor]

Hello all,

I have my exchange server up and running. I am currently testing it with one Outlook account that I am using.

When I send an outside email to a yahoo account it stays in the queue. When I send from my yahoo account I receive the following:

209.235.240.9 does not like recipient.
Remote host said: 553 sorry, that domain isn't in my list of allowed
rcpthosts (#5.7.1)
Giving up on 209.235.240.9.


I have no idea what is wrong....can anyone offer insight or info on this problem? It will be greatly appreciated. Thank you.

Pat

 

[TheStressFactor]

Hey Bronto,

Sure...but first I wanted to give you some background info.

I am migrating from a Novell Groupwise server to a Exchange server. When the groupwise server is up internet mail comes in fine. When I turn it off and power the exchange box mail will go out but no in.

Anyways, thought that may give you some insight.

 

[brontosaurus]

OK. Let me tell you what's happening...
Your internal mail server, mail.marinoware.com, is not answering telnet calls, at least when the Novell server is not online. This is causing smtp mailing attempts to default over to the "backup" mail server, mail.inetu.net, which I am assuming is run by your ISP. It's the secondary server that's spitting out that 553 error, not your exchange server. So, I think you may need to check your firewall\router again just to make sure that exchange server is accessible to the internet. I'm assuming your blocking ICMP, 'cause I can't ping it....

 

[TheStressFactor]

Bronto that was an awesome explanation...Ill take a look at the firewall and figure out what the hell is going on.

Patrick

 

[TheStressFactor]

Bronto...would blocking imcp also cause you not to be able to telnet to the mail server from the outside?

 

[brontosaurus]

no, it wouldn't have that affect, but i would look in that direction (telnet, that is).

 

[TheStressFactor]

bronto...what kind of firewall are you running? I am using a pix firewall? If your familiar with it maybe you can take a look to see if I am missing something.

Patrick

 

[brontosaurus]

i've used the PIX. if you want to show me your config, that's fine.

 

[TheStressFactor]

Hey Bronto,

Here it is

PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
nameif ethernet2 intf2 security10
enable password 7DeygvHKjBuxNxrP encrypted
passwd 0fTucaWSYztRT69N encrypted
hostname mypix
domain-name mydomain.com
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
names
access-list nonat permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list nonat permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.0

access-list nonat permit ip 192.168.77.0 255.255.255.0 192.168.3.0 255.255.255.0

access-list split permit ip 192.168.3.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list tunnel permit ip 192.168.3.0 255.255.255.0 192.168.77.0 255.255.255.
0
access-list tunnel permit ip 192.168.77.0 255.255.255.0 192.168.3.0 255.255.255.
0
access-list outside permit tcp any host x.x.x.67 eq smtp
access-list outside permit icmp any any
pager lines 24
interface ethernet0 100basetx
interface ethernet1 100basetx
interface ethernet2 auto shutdown
mtu outside 1500
mtu inside 1500
mtu intf2 1500
ip address outside x.x.x.70 255.255.255.240
ip address inside 192.168.3.1 255.255.255.0
ip address intf2 127.0.0.1 255.255.255.255
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.1.1-10.1.1.50
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.0.0 255.255.255.0 0 0
nat (inside) 1 192.168.1.0 255.255.255.0 0 0
nat (inside) 1 192.168.3.0 255.255.255.0 0 0
nat (inside) 1 192.168.4.0 255.255.255.0 0 0
nat (inside) 1 192.168.5.0 255.255.255.0 0 0
static (inside,outside) tcp x.x.x.67 smtp 192.168.3.2 smtp netmask 255.255.
255.255 0 0
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.65 1
route inside 192.168.0.0 255.255.255.0 192.168.3.6 1
route inside 192.168.1.0 255.255.255.0 192.168.3.6 1
route inside 192.168.4.0 255.255.255.0 192.168.3.6 1
route inside 192.168.5.0 255.255.255.0 192.168.3.6 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si
p 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.3.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
no sysopt route dnat
crypto ipsec transform-set transform esp-3des esp-sha-hmac
crypto ipsec transform-set home esp-des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set home
crypto map testmap 10 ipsec-isakmp
crypto map testmap 10 match address tunnel
crypto map testmap 10 set peer x.x.x.83
crypto map testmap 10 set transform-set transform
crypto map testmap 10 set security-association lifetime seconds 3600 kilobytes 8
192
crypto map testmap 999 ipsec-isakmp dynamic dynmap
crypto map testmap interface outside
crypto map marinohome 10 ipsec-isakmp dynamic dynmap
isakmp enable outside
isakmp key ************ address x.x.x.83 netmask 255.255.255.248
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup marino address-pool ippool
vpngroup marino dns-server 192.168.3.7
vpngroup marino wins-server 192.168.3.7
vpngroup marino default-domain marinoware.com
vpngroup marino split-tunnel split
vpngroup marino idle-time 2000
vpngroup marino password **************
telnet 192.168.3.0 255.255.255.0 inside
telnet timeout 60
ssh timeout 5
terminal width 80

 

[brontosaurus]

just a shot, try this...

take the Novell server offline and clear the arp cache on the PIX. Maybe it's associating the Novell servers MAC address with the internal IP and getting screwed up?

 

[TheStressFactor]

Thanks Bronto...ill give that a shot after hours today and let you know what happens..

 

[JabbaTheNut]

I had a somewhat similar relay problem. I had a front-end IIS web server and a back-end Exchange 2000 server. I had to make the following SMTP virtual server adjustment...

Add a new "remote" domain to your default SMTP virtual server. Name the new remote domain "yourdomain.com" and specify that all mail should be forward to the following Smart Host: "yourexchangebox.yourdomain.com"

There will already be an existing "local" domain in your default SMTP virtual server named "youriisbox.yourdomain.com". Just leave it alone.

Hope this is useful. Game Over, Man!

 

[TheStressFactor]

Jabba thanks for the info(love the name buddy)...however I do not have a front end IIS server...is this worth a shot even if I dont have a front end iis box? also where exactly do I put the entry for the "remote" domain ? Thanks.

Patrick

 

[JabbaTheNut]

Where is your SMTP virtual server? I accessed my SMTP virtual server using the IIS snap-in. I expanded the SMTP virtual server and right clicked on "domain". There was an option to add a new domain to the virtual server. The rest is as described in my previous post.

This may not be viable in your situation. Game Over, Man!

 

[TheStressFactor]

I figured this out all..I added mail.marinoware.com to the smarthost entry under smtp connector and all mail worked fine...