I have an exchange server inside my network. On that server is a message filtering package called Praetor. It intercepts all email inbound and outbound and filters it according to rules that I can configure.
I want to put that program on another server, but the PIX seems to be stopping it (at least that's what their tech support tells me.)
I am able to telnet to port 25 of the new server and Praetor says that it's listening, but no emails are being processed there.
The PIX has a static command mapping the email server's internal addy to an external one. It also has an access list allowing smmtp traffic to the external address. Those are the only two instances of the external address I can find.
The config is five pages long, so I'm going to just try to post the pertinent parts here:
PIX Version 5.3(1)
fixup protocol smtp 25
access-list outside permit tcp any host 1.2.3.15 eq pop3
access-list outside permit tcp any host 1.2.3.15 eq smtp
ip address outside 1.2.3.25 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 1.2.3.21-1.2.3.23 netmask 255.255.255.240
global (outside) 1 1.2.3.24 netmask 255.255.255.240
global (dmz1) 1 172.16.1.129-172.16.1.254 netmask 255.255.255.0
global (dmz2) 1 172.16.2.129-172.16.2.254 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz2) 1 0.0.0.0 0.0.0.0 0 0
static (inside,dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
static (inside,dmz2) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
static (dmz2,dmz1) 172.16.2.0 172.16.2.0 netmask 255.255.255.0 0 0
static (inside,outside) 1.2.3.15 192.168.1.3 netmask 255.255.255.255 0 0
[the above statement maps our external addy to our internal addy for exchange]
access-group outside in interface outside
access-group inside in interface inside
access-group acl_dmz1 in interface dmz1
access-group dmz2 in interface dmz2
route outside 0.0.0.0 0.0.0.0 1.2.3.13 1
route inside 10.0.0.0 255.0.0.0 1.2.3.13 1
route inside 192.168.0.0 255.255.0.0 192.168.1.14 1
I was told that I needed to install the filtering software on the new server, copy over the config files (to keep filtering rules), stop the filtering services on the exchange server, and when I started them on the new server it would take over. But when I do that, no mail is hitting the new filtering server.
I can look at the folders that process messages, and there are NO messages to them at all. The filtering service is listening to port 25 on the new server.
Tech support says that the pix must be mis-routing emails, since the filter is never even seeing them. They swear that it is OK to leave it installed on the exchange server, that stopping it will allow another server to take over.
I tried changing the static (inside,outside) command to map our external address to the new filtering server (192.168.1.20)instead, but still nothing happened.
TIA
I want to put that program on another server, but the PIX seems to be stopping it (at least that's what their tech support tells me.)
I am able to telnet to port 25 of the new server and Praetor says that it's listening, but no emails are being processed there.
The PIX has a static command mapping the email server's internal addy to an external one. It also has an access list allowing smmtp traffic to the external address. Those are the only two instances of the external address I can find.
The config is five pages long, so I'm going to just try to post the pertinent parts here:
PIX Version 5.3(1)
fixup protocol smtp 25
access-list outside permit tcp any host 1.2.3.15 eq pop3
access-list outside permit tcp any host 1.2.3.15 eq smtp
ip address outside 1.2.3.25 255.255.255.240
ip address inside 192.168.1.1 255.255.255.0
global (outside) 1 1.2.3.21-1.2.3.23 netmask 255.255.255.240
global (outside) 1 1.2.3.24 netmask 255.255.255.240
global (dmz1) 1 172.16.1.129-172.16.1.254 netmask 255.255.255.0
global (dmz2) 1 172.16.2.129-172.16.2.254 netmask 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz1) 1 0.0.0.0 0.0.0.0 0 0
nat (dmz2) 1 0.0.0.0 0.0.0.0 0 0
static (inside,dmz1) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
static (inside,dmz2) 192.168.0.0 192.168.0.0 netmask 255.255.0.0 0 0
static (dmz2,dmz1) 172.16.2.0 172.16.2.0 netmask 255.255.255.0 0 0
static (inside,outside) 1.2.3.15 192.168.1.3 netmask 255.255.255.255 0 0
[the above statement maps our external addy to our internal addy for exchange]
access-group outside in interface outside
access-group inside in interface inside
access-group acl_dmz1 in interface dmz1
access-group dmz2 in interface dmz2
route outside 0.0.0.0 0.0.0.0 1.2.3.13 1
route inside 10.0.0.0 255.0.0.0 1.2.3.13 1
route inside 192.168.0.0 255.255.0.0 192.168.1.14 1
I was told that I needed to install the filtering software on the new server, copy over the config files (to keep filtering rules), stop the filtering services on the exchange server, and when I started them on the new server it would take over. But when I do that, no mail is hitting the new filtering server.
I can look at the folders that process messages, and there are NO messages to them at all. The filtering service is listening to port 25 on the new server.
Tech support says that the pix must be mis-routing emails, since the filter is never even seeing them. They swear that it is OK to leave it installed on the exchange server, that stopping it will allow another server to take over.
I tried changing the static (inside,outside) command to map our external address to the new filtering server (192.168.1.20)instead, but still nothing happened.
TIA