SMTP mail stuck in Exchange queue with Netscreen 5XP Firewall / VPN Appliance
Posted on 2004-04-11
My office has a Windows 2003 Server network as a test platform. I run
Exchange Server 2003 on my Windows 2003 server. I am connected to
Sympatico's 3Mb ADSL service (dynamic IP), and I have a utility on the
server (SmartPop2Exchange) that pulls my e-mail off Sympatico every 15
minutes to my Exchange server. When I connect my Netopia R910 router/firewall
installed, this configuration worked flawlessly. I have since installed a
Netsreen 5XP firewall / vpn appliance, and I cannot sent any e-mail out. Incoming e-mail is
working fine, but outgoing SMTP e-mail is backing up in the queue.
In System Manager, I turned on Advanced Logging for MS ExchangeTransport.
The error I get in the Event Viewer (and there are MANY of these errors) is:
Message delivery to the host '188.8.131.52' failed while delivering to the
remote domain 'nootkaisland.com' for the following reason: The connection
was dropped by the remote host.
The NDR returned by the Exchange server is:
This message was rejected due to the current administrative policy by the destination server. Please retry at a later time. If that fails, contact your system administrator.
If I look at the status row in System Manager while in the Queue folder with
one of the stuck e-mails, it indicates that the e-mail was rejected by the
remote host. It is scheduled for retry. Relaying is only enabled for
clients that authenicate to the domain.
All of my e-mail is backing up in the Queue. Every remote host is dropping
the connection, including Sympatico.ca, my ISP. I have an inexpesive
Startech DSL broadband router with the firewall feature disabled. As soon
as I swap out the Netscreen and put the Startech in, the mail queue clears
itself out on the next retry and sends all the backed up e-mail.
For the most part, when I set the Netscreen up, I accepted all the defaults.
The untrusted interface is set to PPPoE and has my Sympatico information.
The trusted interface is set to NAT.
I am using the default Outgoing rule to allow everything out. No additional
outgoing rules have been added. I created three virtual IPs that point to
my server (192.168.2.2), one for SMTP, one for FTP, and one for HTTP. I
created an Incomming rule allowing Outside Any -> Any Virtual IP for the
service SMTP, Outside Any -> Any Virtual IP for the service FTP, and Outside
Any -> Any Virtual IP for the service HTTP. I have HTTP forwarded to the
server for Outlook Web Access and will eventually use SSL after I get the
firewall issue straightend out. I have also created an incoming rule for port 53
and mapped this to my Exchange server.
I thought the problem might be related to the detection page on the
Netscreen configuration for address sweep, sync attack, IP spoof, etc., so I
unchecked all those boxes. This did not change anything.
I can send e-mail to my Yahoo account. It is just SMTP mail getting stuck.