Solved

SMTP mail stuck in Exchange queue with Netscreen 5XP Firewall / VPN Appliance

Posted on 2004-04-11
9
320 Views
Last Modified: 2013-11-16
My office has a Windows 2003 Server network as a test platform.  I run
Exchange Server 2003 on my Windows 2003 server.  I am connected to
Sympatico's 3Mb ADSL service (dynamic IP), and I have a utility on the
server (SmartPop2Exchange) that pulls my e-mail off Sympatico every 15
minutes to my Exchange server.  When I connect my Netopia R910 router/firewall
installed, this configuration worked flawlessly.  I have since installed a
Netsreen 5XP firewall / vpn appliance, and I cannot sent any e-mail out.  Incoming e-mail is
working fine, but outgoing SMTP e-mail is backing up in the queue.

In System Manager, I turned on Advanced Logging for MS ExchangeTransport.
The error I get in the Event Viewer (and there are MANY of these errors) is:

Error 4006
Message delivery to the host '209.226.175.63' failed while delivering to the
remote domain  'nootkaisland.com' for the following reason: The connection
was dropped by the remote host.

The NDR returned by the Exchange server is:
This message was rejected due to the current administrative policy by the destination server. Please retry at a later time. If that fails, contact your system administrator.
<lucky.skunkwerkz.local #4.3.2>

If I look at the status row in System Manager while in the Queue folder with
one of the stuck e-mails, it indicates that the e-mail was rejected by the
remote host.  It is scheduled for retry.  Relaying is only enabled for
clients that authenicate to the domain.

All of my e-mail is backing up in the Queue.  Every remote host is dropping
the connection, including Sympatico.ca, my ISP.  I have an inexpesive
Startech DSL broadband router with the firewall feature disabled.  As soon
as I swap out the Netscreen and put the Startech in, the mail queue clears
itself out on the next retry and sends all the backed up e-mail.

For the most part, when I set the Netscreen up, I accepted all the defaults.
The untrusted interface is set to PPPoE and has my Sympatico information.
The trusted interface is set to NAT.

I am using the default Outgoing rule to allow everything out.  No additional
outgoing rules have been added.  I created three virtual IPs that point to
my server (192.168.2.2), one for SMTP, one for FTP, and one for HTTP.  I
created an Incomming rule allowing Outside Any -> Any Virtual IP for the
service SMTP, Outside Any -> Any Virtual IP for the service FTP, and Outside
Any -> Any Virtual IP for the service HTTP.  I have HTTP forwarded to the
server for Outlook Web Access and will eventually use SSL after I get the
firewall issue straightend out.  I have also created an incoming rule for port 53
and mapped this to my Exchange server.

I thought the problem might be related to the detection page on the
Netscreen configuration for address sweep, sync attack, IP spoof, etc., so I
unchecked all those boxes.  This did not change anything.

I can send e-mail to my Yahoo account.  It is just SMTP mail getting stuck.

Any ideas?
0
Comment
Question by:meesha
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10803157
You need to allow resolution DNS traffic to/from the Exchange Box or your DNS server.
Exchange SMTP server does name looks by itself (by default) unless you point it to your DNS box.


Add in that rule on the Netscreen  and see if it works.
0
 

Author Comment

by:meesha
ID: 10803214
I have a rule to allow anything from the trusted side out to the untrusted side.  To be on the safe side, I also made a rule specifically for DNS and SMTP, but htis did not correct the problem.  I am using POP to pull the mail in.  Forwarders are valid in DNS properties for Server 2003.  TCP/IP stack had primary DNS pointing to the server, 192.168.2.2.  On a longshot, I configured the DNS properties of the virtual SMTP server to match the DNS forwarders but that made no difference.  Thanks for your suggestions.
0
 
LVL 20

Expert Comment

by:What90
ID: 10803343
Try doing an nslookup from the Exchange box and see if it works and can resolve the names. Or have you set up reverse DNS lookups on the Exchange server to verify emails?
0
Webinar May 25: Cloud Security Strategies for SMBs

Small and mid-sized businesses are a driving force behind cloud adoption, and it’s no wonder: cloud benefits are BIG.  But for all the convenience that moving to the cloud provides, where does security come into play?

 

Author Comment

by:meesha
ID: 10803361
Yes it can.  I can also telnet into my ISPs SMTP server.

There is nothing wrong with the Exchange box.  If I swap out the Netscreen 5XP and put in my Netopia R910 router or my cheap Startech Broadband router, everything works fine.  The problem is withiing the Netscreen appliance.
0
 
LVL 20

Expert Comment

by:What90
ID: 10803512
Have you checked the Netscreen logs to see what's being blocked - it may give you some more pointers on what to change.
0
 

Author Comment

by:meesha
ID: 10804270
The logs do not show anything blocked.  The remote server is dropping the connection.  I thought maybe it might be something with the address translation or the way the Netscreen is doing the staeful packet inspection.
0
 

Author Comment

by:meesha
ID: 10911506
I would like to thank everyone for their sggestions, but the solution to the problem was to update the operating system from 3.x on the Netscreen 5XP to v5.0r4.  This immediately corrected the problem without any further intervention on my part.

I am asking to withrad this question.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12803038
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question