Solved

SMTP mail stuck in Exchange queue with Netscreen 5XP Firewall / VPN Appliance

Posted on 2004-04-11
9
314 Views
Last Modified: 2013-11-16
My office has a Windows 2003 Server network as a test platform.  I run
Exchange Server 2003 on my Windows 2003 server.  I am connected to
Sympatico's 3Mb ADSL service (dynamic IP), and I have a utility on the
server (SmartPop2Exchange) that pulls my e-mail off Sympatico every 15
minutes to my Exchange server.  When I connect my Netopia R910 router/firewall
installed, this configuration worked flawlessly.  I have since installed a
Netsreen 5XP firewall / vpn appliance, and I cannot sent any e-mail out.  Incoming e-mail is
working fine, but outgoing SMTP e-mail is backing up in the queue.

In System Manager, I turned on Advanced Logging for MS ExchangeTransport.
The error I get in the Event Viewer (and there are MANY of these errors) is:

Error 4006
Message delivery to the host '209.226.175.63' failed while delivering to the
remote domain  'nootkaisland.com' for the following reason: The connection
was dropped by the remote host.

The NDR returned by the Exchange server is:
This message was rejected due to the current administrative policy by the destination server. Please retry at a later time. If that fails, contact your system administrator.
<lucky.skunkwerkz.local #4.3.2>

If I look at the status row in System Manager while in the Queue folder with
one of the stuck e-mails, it indicates that the e-mail was rejected by the
remote host.  It is scheduled for retry.  Relaying is only enabled for
clients that authenicate to the domain.

All of my e-mail is backing up in the Queue.  Every remote host is dropping
the connection, including Sympatico.ca, my ISP.  I have an inexpesive
Startech DSL broadband router with the firewall feature disabled.  As soon
as I swap out the Netscreen and put the Startech in, the mail queue clears
itself out on the next retry and sends all the backed up e-mail.

For the most part, when I set the Netscreen up, I accepted all the defaults.
The untrusted interface is set to PPPoE and has my Sympatico information.
The trusted interface is set to NAT.

I am using the default Outgoing rule to allow everything out.  No additional
outgoing rules have been added.  I created three virtual IPs that point to
my server (192.168.2.2), one for SMTP, one for FTP, and one for HTTP.  I
created an Incomming rule allowing Outside Any -> Any Virtual IP for the
service SMTP, Outside Any -> Any Virtual IP for the service FTP, and Outside
Any -> Any Virtual IP for the service HTTP.  I have HTTP forwarded to the
server for Outlook Web Access and will eventually use SSL after I get the
firewall issue straightend out.  I have also created an incoming rule for port 53
and mapped this to my Exchange server.

I thought the problem might be related to the detection page on the
Netscreen configuration for address sweep, sync attack, IP spoof, etc., so I
unchecked all those boxes.  This did not change anything.

I can send e-mail to my Yahoo account.  It is just SMTP mail getting stuck.

Any ideas?
0
Comment
Question by:meesha
  • 4
  • 3
9 Comments
 
LVL 20

Expert Comment

by:What90
Comment Utility
You need to allow resolution DNS traffic to/from the Exchange Box or your DNS server.
Exchange SMTP server does name looks by itself (by default) unless you point it to your DNS box.


Add in that rule on the Netscreen  and see if it works.
0
 

Author Comment

by:meesha
Comment Utility
I have a rule to allow anything from the trusted side out to the untrusted side.  To be on the safe side, I also made a rule specifically for DNS and SMTP, but htis did not correct the problem.  I am using POP to pull the mail in.  Forwarders are valid in DNS properties for Server 2003.  TCP/IP stack had primary DNS pointing to the server, 192.168.2.2.  On a longshot, I configured the DNS properties of the virtual SMTP server to match the DNS forwarders but that made no difference.  Thanks for your suggestions.
0
 
LVL 20

Expert Comment

by:What90
Comment Utility
Try doing an nslookup from the Exchange box and see if it works and can resolve the names. Or have you set up reverse DNS lookups on the Exchange server to verify emails?
0
 

Author Comment

by:meesha
Comment Utility
Yes it can.  I can also telnet into my ISPs SMTP server.

There is nothing wrong with the Exchange box.  If I swap out the Netscreen 5XP and put in my Netopia R910 router or my cheap Startech Broadband router, everything works fine.  The problem is withiing the Netscreen appliance.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 20

Expert Comment

by:What90
Comment Utility
Have you checked the Netscreen logs to see what's being blocked - it may give you some more pointers on what to change.
0
 

Author Comment

by:meesha
Comment Utility
The logs do not show anything blocked.  The remote server is dropping the connection.  I thought maybe it might be something with the address translation or the way the Netscreen is doing the staeful packet inspection.
0
 

Author Comment

by:meesha
Comment Utility
I would like to thank everyone for their sggestions, but the solution to the problem was to update the operating system from 3.x on the Netscreen 5XP to v5.0r4.  This immediately corrected the problem without any further intervention on my part.

I am asking to withrad this question.
0
 

Accepted Solution

by:
modulo earned 0 total points
Comment Utility
PAQed with points refunded (500)

modulo
Community Support Moderator
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Itunes Thru ISA 2000 Server 2 97
linux juniper redhat why use for firewalls 8 83
sftp access 4 49
increase internet speed 3 53
If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This video discusses moving either the default database or any database to a new volume.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now