Postfix Mail-Server behind a firewall

I use a Web- and Mail-Server (Apache2 and Postfix) with Suse 8.2 behind a firewall (Cisco 1710 Router with ACL).
My network:

Internet < ---- > Router < ---- > Web-, Mail-Server < ---- > PIX < ---- > Intern
                 |                     |  
            X.X.X.X DMZ network

permit tcp any host X.X.X.X eq www
permit tcp any host X.X.X.X eq smtp

www works fine !

I can send emails from the mailserver, I can't  receive emails to addresses user@domain or user@X.X.X.X
A port scan to X.X.X.X says, that smtp service is not running !!!
I have used the standard configuration ( with the myorigin, mydomain, mydestination changed.
The MX record was set to the ip-address X.X.X.X

Anyone an idea whats wrong ?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Is your router running the firewall feature set, or do you have a PIX firewall as in your diagram? Two very different things.
If no PIX and no firewall feature set (ip inspect), then I would suspect a DNS issue. Where is your MX record?
and882Author Commented:
I use a normal ACLs for traffic-filtering (no CBAC).

The pix is the firewall for my internal network and  should not be the problem. The DMZ uses a Cisco Router with ACLs as a firewall to the internet and an PIX 501 for the internal network.

ACL on the router allows port 53, DNS works for www.

I can't  send a mail to a user on the mail server e.g. user@ - so DNS is not used  (is this correct ?)

The router uses NAT:

ip nat inside source static tcp 80 80 <- web
ip nat inside source static tcp 25 25 <- mail

Should I use to different internal IP addresse for mail and web ?

The Web and Mail pointing was done by

A record -->
MX record -->

If I try to telnet to the port I get no answer

telnet 25

I think the problem is, that the mail service on port 25 is not running on the external (public) router interface. But I don't know what I have done different to www.

I hope this helps !

Not sure if this makes sense, but IIRC you should make the port 25 traffic 2-way, and you should use 2-way DNS communications on both TCP and UDP.  Since it appears your ACL isn't blocking anyhing out, and you've already opened a static NAT port 25, then all that's left is opening port 53 on TCP and UDP to your server with a couple more "ip nat" commands.

If you ping your mail server's DNS name, does it resolve to  Does the DNS name in your mail server config match the DNS name on the mx record?  If you connect directly to the public-side NIC of the mailserver can you telnet to port 25 and get a response from the mail server?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SolarWinds® VoIP and Network Quality Manager(VNQM)

WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls

If you are trying to telnet to the server's public address from inside your LAN, it won't work anyway. You're hitting it before the nat takes place on the router..
Does your inbound access-list have a line that includes
permit tcp any any established?

lrmoore - is that a rough equivalent to stateful filtering?
and882Author Commented:
Yes, this is correct.  I also need a DNS for my internal network !    

This is my inbound ACL for the router interface connected to the internet (cabel modem)

    permit tcp any host eq www (17332 matches)
    permit tcp any host eq smtp (494 matches)
    permit tcp any host established (75020 matches)
    permit udp any eq domain any (1732 matches)


Pro Inside global      Inside local       Outside local      Outside global
tcp      ---                ---
tcp      ---                ---

I do not think this is a DNS problem (not only), because it also does not work with the ip-address in the mail address.

Do I have to change something in the postfix - access file  ?
ShineOn - yes, exactly.

and882 - you have not answered the question as to where you are trying to do your testing from.
Inside, on your LAN, or completely external from elsewhere on the Internet?
Yes, you do need a dns for your internal users that will resolve the MX and the A records to the IP address, else look into the 'alias' command on the pix...
If you change the permit tcp any host 1234 established to permit tcp any any established, does that change anything?  (just for troubleshooting...)
When doing a DMZ with Cisco IOS is it necessary to have an outside ACL to allow access to NATted server(s) - I thought that the IP NAT INSIDE SOURCE command would handle that.  Could it be that the combination is working against each other, like maybe the outside ACL should specify the NATted address instead of the public address?
I have seen it with the outside ACL doing an ANY ANY instead of specifying a host address...
Also, should the IP NAT INSIDE SOURCE statements have "extendable" added, or isn't that necessary here?
and882Author Commented:
I have tried to connect directly in the DMZ network to port 25 --> telnet 25 does not work

telnet  80 works --> there must be something wrong with the postfix or linux configuration (firewall ?).

I turn off the firewall of the mail server --> the same --> the smtp service is not running correct --> postfix status says running

ok, whats now ?

1. this is not a problem of the ACL - I think so, because I am  behind the firewall

2. It is not a problem of the firewall on the web/mail server -- I have disabled the firewall --> nothing happend

3. --> this must be a problem of the smtp server config --> postfix config

Do you agree to that ?

Agree with #3. It is not an access-list issue if you can't even do it locally...
Perhaps you can post a pointer question in one of the Linux TA's to get a Linux guru to lend a hand..

and882Author Commented:
Thank you to Irmoore and ShineOn !!!!

I have found the problem, it was a hidden double config-line in the main configuration file of postfix. It don't listen to the correct interface.

So simple, but it takes my 2 days.

Thank you for your help !
Great news!
Process of elimination.  Glad you got it fixed.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.