Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Test Email Connectivity

Status
Not open for further replies.
speedingwolf

speedingwolf

IS-IT--Management
Jan 23, 2003
65
US
Hello,

I'm setting up a lab for our exchange 2k environment and set up pix 525 for access from the internet to this exchange server. My configuration as:

PixLab# show static
static (inside,outside) 65.219.x.x 172.16.0.100 netmask 255.255.255.255 0 0

The public IP address = testmail.mycompany.com and it mapped to an exchange 2k server (172.16.0.100) in the inside network.

I allowed the following smtp to go through:

access-list outside_to_inside line 1 permit tcp any host 65.219.x.x eq smtp (hitcnt=18)

To test the traffic, i go to the internet and try to connect to the mail server (18 times) using this command:

telnet mail.mycompany.com 25

And this is what I receive:

220 ****************************************************************************
***********2*************

If i were to do that behind the firewall, i will get this:

220 mail.mycompany.com ESMTP Server (Microsoft Exchange Internet Mail Service 5.5.2653.13
) ready

Please help!

Thanks,
 
Sort by date Sort by votes
That's the normal Mail Guard feature of the PIX. It doesn't necessarily mean mail will not work. You can turn that off by disabling fixup protocol smtp.
 
Upvote 0 Downvote
The PIX enforces the RFC for SMTP, however Exchange uses ESMTP instead thus the behaviour you are experiencing. You will need to disable the fixup protocol SMTP since Exchange uses extra commands not permitted by the fixup protocol.
 
Upvote 0 Downvote
Thanks everyone for your helps:

I mofidied this in the PIX and it works:

no fixup protocol smtp 25

 
Upvote 0 Downvote
I have another question. If user is able to do this:

telnet mail.mycompany.com 25 from anywhere. Does that mean they can use my mail server to relay?

Thanks,
 
Upvote 0 Downvote
thats an exchange configuration question the pix does not care about relay it only cares about streams of data...

As long as you have exchange is properly configured to only accept mail for your domains your ok.

Jeff
 
Upvote 0 Downvote
HI.

> no fixup protocol smtp 25
I have setup a dozen or more scenarios of Exchange server behind a pix firewall, and never had to disable the smtp fixup.
So my suggestion is to keep it active unless you have a specific problem.

In addition - it is best to setup a mail relay server that will receive incoming email and then forward them to your Exchange server. That way you can scan and filter virusses (and maybe SPAM also) at the mail relay before they get to your Exchange server, and you minimize exposure of your server to the Internet.
(But you must also have anti virus on E2K itself).

Many different devices/software can act as a mail relay. Most Anti Virus products have a specific smtp gateway module bundled with their enterprise suite.



Yizhar Hurwitz
 
Upvote 0 Downvote
Thanks for the explainations everyone. On the same topic. I am trying to understand the logic behind an Exchange server in the DMZ. Yizhar, what about VPN issues that i might be missing?

Our current setup is owa and bridgehead inside the 10.0.0.0 network all remote site to site VPN connects to 10.0.0.0 network. Their bridge head servers Exchange 5.5 points our exchange server SMTP bridge head via the tunnel.This server is OWA as well. On the internet, mail.mycompany.com is mapped to another server inside our 10.0.0.0 network, this server run Trend Virus Wall, in this configuration, it scans all mail, then forward that to the bridge head host inside that i described above. So, the logic is mail from internet to AV Scanner, AV Scanner scans and forwards all SMTP inside and outside traffic to BrideHead inside. Bridge head inside distribute that to other servers.

Our future setup:

we're planning to make a front end server in the DMZ and have all mails scan with AV and acts as OWA and forward all request to backend server.

From remote site's bridge head view, how does it know where to forward its requests? It goes to the OWA, and BridgeHead inside. Now it needs to go to the DMZ.

So, all i need is to configure the IP of the remotes server to the DMZ FrontEnd.

Does this make any sense? I'm confused.
 
Upvote 0 Downvote
I think i understand the logic now. I need to allow remote sites to have access to the DMZ network of the 10.0.0.0 network. Then from the bridgehead server of exchange 5.5, tell them to connects to the FrontEnd Server IP address.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
783
Sameer258
Sameer258
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
649
Johnkite
Johnkite
smokey7244521
  • Locked
  • Question
Pix515 VPN Client Connectivity Problem
Replies
0
Views
63
smokey7244521
smokey7244521
sanonas
  • Locked
  • Question
How to test a the caching function of a proxy server?
Replies
0
Views
165
sanonas
sanonas
akhatem
  • Locked
  • Question
Connectivity to Remote Side
Replies
0
Views
53
akhatem
akhatem

Part and Inventory Search

Sponsor

Back
Top