Solved

SMTP mail stuck in Exchange queue with Netscreen 5XP Firewall / VPN Appliance

Posted on 2004-04-11
9
322 Views
Last Modified: 2013-11-16
My office has a Windows 2003 Server network as a test platform.  I run
Exchange Server 2003 on my Windows 2003 server.  I am connected to
Sympatico's 3Mb ADSL service (dynamic IP), and I have a utility on the
server (SmartPop2Exchange) that pulls my e-mail off Sympatico every 15
minutes to my Exchange server.  When I connect my Netopia R910 router/firewall
installed, this configuration worked flawlessly.  I have since installed a
Netsreen 5XP firewall / vpn appliance, and I cannot sent any e-mail out.  Incoming e-mail is
working fine, but outgoing SMTP e-mail is backing up in the queue.

In System Manager, I turned on Advanced Logging for MS ExchangeTransport.
The error I get in the Event Viewer (and there are MANY of these errors) is:

Error 4006
Message delivery to the host '209.226.175.63' failed while delivering to the
remote domain  'nootkaisland.com' for the following reason: The connection
was dropped by the remote host.

The NDR returned by the Exchange server is:
This message was rejected due to the current administrative policy by the destination server. Please retry at a later time. If that fails, contact your system administrator.
<lucky.skunkwerkz.local #4.3.2>

If I look at the status row in System Manager while in the Queue folder with
one of the stuck e-mails, it indicates that the e-mail was rejected by the
remote host.  It is scheduled for retry.  Relaying is only enabled for
clients that authenicate to the domain.

All of my e-mail is backing up in the Queue.  Every remote host is dropping
the connection, including Sympatico.ca, my ISP.  I have an inexpesive
Startech DSL broadband router with the firewall feature disabled.  As soon
as I swap out the Netscreen and put the Startech in, the mail queue clears
itself out on the next retry and sends all the backed up e-mail.

For the most part, when I set the Netscreen up, I accepted all the defaults.
The untrusted interface is set to PPPoE and has my Sympatico information.
The trusted interface is set to NAT.

I am using the default Outgoing rule to allow everything out.  No additional
outgoing rules have been added.  I created three virtual IPs that point to
my server (192.168.2.2), one for SMTP, one for FTP, and one for HTTP.  I
created an Incomming rule allowing Outside Any -> Any Virtual IP for the
service SMTP, Outside Any -> Any Virtual IP for the service FTP, and Outside
Any -> Any Virtual IP for the service HTTP.  I have HTTP forwarded to the
server for Outlook Web Access and will eventually use SSL after I get the
firewall issue straightend out.  I have also created an incoming rule for port 53
and mapped this to my Exchange server.

I thought the problem might be related to the detection page on the
Netscreen configuration for address sweep, sync attack, IP spoof, etc., so I
unchecked all those boxes.  This did not change anything.

I can send e-mail to my Yahoo account.  It is just SMTP mail getting stuck.

Any ideas?
0
Comment
Question by:meesha
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
9 Comments
 
LVL 20

Expert Comment

by:What90
ID: 10803157
You need to allow resolution DNS traffic to/from the Exchange Box or your DNS server.
Exchange SMTP server does name looks by itself (by default) unless you point it to your DNS box.


Add in that rule on the Netscreen  and see if it works.
0
 

Author Comment

by:meesha
ID: 10803214
I have a rule to allow anything from the trusted side out to the untrusted side.  To be on the safe side, I also made a rule specifically for DNS and SMTP, but htis did not correct the problem.  I am using POP to pull the mail in.  Forwarders are valid in DNS properties for Server 2003.  TCP/IP stack had primary DNS pointing to the server, 192.168.2.2.  On a longshot, I configured the DNS properties of the virtual SMTP server to match the DNS forwarders but that made no difference.  Thanks for your suggestions.
0
 
LVL 20

Expert Comment

by:What90
ID: 10803343
Try doing an nslookup from the Exchange box and see if it works and can resolve the names. Or have you set up reverse DNS lookups on the Exchange server to verify emails?
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:meesha
ID: 10803361
Yes it can.  I can also telnet into my ISPs SMTP server.

There is nothing wrong with the Exchange box.  If I swap out the Netscreen 5XP and put in my Netopia R910 router or my cheap Startech Broadband router, everything works fine.  The problem is withiing the Netscreen appliance.
0
 
LVL 20

Expert Comment

by:What90
ID: 10803512
Have you checked the Netscreen logs to see what's being blocked - it may give you some more pointers on what to change.
0
 

Author Comment

by:meesha
ID: 10804270
The logs do not show anything blocked.  The remote server is dropping the connection.  I thought maybe it might be something with the address translation or the way the Netscreen is doing the staeful packet inspection.
0
 

Author Comment

by:meesha
ID: 10911506
I would like to thank everyone for their sggestions, but the solution to the problem was to update the operating system from 3.x on the Netscreen 5XP to v5.0r4.  This immediately corrected the problem without any further intervention on my part.

I am asking to withrad this question.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 12803038
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question