meesha
asked on
SMTP mail stuck in Exchange queue with Netscreen 5XP Firewall / VPN Appliance
My office has a Windows 2003 Server network as a test platform. I run
Exchange Server 2003 on my Windows 2003 server. I am connected to
Sympatico's 3Mb ADSL service (dynamic IP), and I have a utility on the
server (SmartPop2Exchange) that pulls my e-mail off Sympatico every 15
minutes to my Exchange server. When I connect my Netopia R910 router/firewall
installed, this configuration worked flawlessly. I have since installed a
Netsreen 5XP firewall / vpn appliance, and I cannot sent any e-mail out. Incoming e-mail is
working fine, but outgoing SMTP e-mail is backing up in the queue.
In System Manager, I turned on Advanced Logging for MS ExchangeTransport.
The error I get in the Event Viewer (and there are MANY of these errors) is:
Error 4006
Message delivery to the host '209.226.175.63' failed while delivering to the
remote domain 'nootkaisland.com' for the following reason: The connection
was dropped by the remote host.
The NDR returned by the Exchange server is:
This message was rejected due to the current administrative policy by the destination server. Please retry at a later time. If that fails, contact your system administrator.
<lucky.skunkwerkz.local #4.3.2>
If I look at the status row in System Manager while in the Queue folder with
one of the stuck e-mails, it indicates that the e-mail was rejected by the
remote host. It is scheduled for retry. Relaying is only enabled for
clients that authenicate to the domain.
All of my e-mail is backing up in the Queue. Every remote host is dropping
the connection, including Sympatico.ca, my ISP. I have an inexpesive
Startech DSL broadband router with the firewall feature disabled. As soon
as I swap out the Netscreen and put the Startech in, the mail queue clears
itself out on the next retry and sends all the backed up e-mail.
For the most part, when I set the Netscreen up, I accepted all the defaults.
The untrusted interface is set to PPPoE and has my Sympatico information.
The trusted interface is set to NAT.
I am using the default Outgoing rule to allow everything out. No additional
outgoing rules have been added. I created three virtual IPs that point to
my server (192.168.2.2), one for SMTP, one for FTP, and one for HTTP. I
created an Incomming rule allowing Outside Any -> Any Virtual IP for the
service SMTP, Outside Any -> Any Virtual IP for the service FTP, and Outside
Any -> Any Virtual IP for the service HTTP. I have HTTP forwarded to the
server for Outlook Web Access and will eventually use SSL after I get the
firewall issue straightend out. I have also created an incoming rule for port 53
and mapped this to my Exchange server.
I thought the problem might be related to the detection page on the
Netscreen configuration for address sweep, sync attack, IP spoof, etc., so I
unchecked all those boxes. This did not change anything.
I can send e-mail to my Yahoo account. It is just SMTP mail getting stuck.
Any ideas?
Exchange Server 2003 on my Windows 2003 server. I am connected to
Sympatico's 3Mb ADSL service (dynamic IP), and I have a utility on the
server (SmartPop2Exchange) that pulls my e-mail off Sympatico every 15
minutes to my Exchange server. When I connect my Netopia R910 router/firewall
installed, this configuration worked flawlessly. I have since installed a
Netsreen 5XP firewall / vpn appliance, and I cannot sent any e-mail out. Incoming e-mail is
working fine, but outgoing SMTP e-mail is backing up in the queue.
In System Manager, I turned on Advanced Logging for MS ExchangeTransport.
The error I get in the Event Viewer (and there are MANY of these errors) is:
Error 4006
Message delivery to the host '209.226.175.63' failed while delivering to the
remote domain 'nootkaisland.com' for the following reason: The connection
was dropped by the remote host.
The NDR returned by the Exchange server is:
This message was rejected due to the current administrative policy by the destination server. Please retry at a later time. If that fails, contact your system administrator.
<lucky.skunkwerkz.local #4.3.2>
If I look at the status row in System Manager while in the Queue folder with
one of the stuck e-mails, it indicates that the e-mail was rejected by the
remote host. It is scheduled for retry. Relaying is only enabled for
clients that authenicate to the domain.
All of my e-mail is backing up in the Queue. Every remote host is dropping
the connection, including Sympatico.ca, my ISP. I have an inexpesive
Startech DSL broadband router with the firewall feature disabled. As soon
as I swap out the Netscreen and put the Startech in, the mail queue clears
itself out on the next retry and sends all the backed up e-mail.
For the most part, when I set the Netscreen up, I accepted all the defaults.
The untrusted interface is set to PPPoE and has my Sympatico information.
The trusted interface is set to NAT.
I am using the default Outgoing rule to allow everything out. No additional
outgoing rules have been added. I created three virtual IPs that point to
my server (192.168.2.2), one for SMTP, one for FTP, and one for HTTP. I
created an Incomming rule allowing Outside Any -> Any Virtual IP for the
service SMTP, Outside Any -> Any Virtual IP for the service FTP, and Outside
Any -> Any Virtual IP for the service HTTP. I have HTTP forwarded to the
server for Outlook Web Access and will eventually use SSL after I get the
firewall issue straightend out. I have also created an incoming rule for port 53
and mapped this to my Exchange server.
I thought the problem might be related to the detection page on the
Netscreen configuration for address sweep, sync attack, IP spoof, etc., so I
unchecked all those boxes. This did not change anything.
I can send e-mail to my Yahoo account. It is just SMTP mail getting stuck.
Any ideas?
ASKER
I have a rule to allow anything from the trusted side out to the untrusted side. To be on the safe side, I also made a rule specifically for DNS and SMTP, but htis did not correct the problem. I am using POP to pull the mail in. Forwarders are valid in DNS properties for Server 2003. TCP/IP stack had primary DNS pointing to the server, 192.168.2.2. On a longshot, I configured the DNS properties of the virtual SMTP server to match the DNS forwarders but that made no difference. Thanks for your suggestions.
Try doing an nslookup from the Exchange box and see if it works and can resolve the names. Or have you set up reverse DNS lookups on the Exchange server to verify emails?
ASKER
Yes it can. I can also telnet into my ISPs SMTP server.
There is nothing wrong with the Exchange box. If I swap out the Netscreen 5XP and put in my Netopia R910 router or my cheap Startech Broadband router, everything works fine. The problem is withiing the Netscreen appliance.
There is nothing wrong with the Exchange box. If I swap out the Netscreen 5XP and put in my Netopia R910 router or my cheap Startech Broadband router, everything works fine. The problem is withiing the Netscreen appliance.
Have you checked the Netscreen logs to see what's being blocked - it may give you some more pointers on what to change.
ASKER
The logs do not show anything blocked. The remote server is dropping the connection. I thought maybe it might be something with the address translation or the way the Netscreen is doing the staeful packet inspection.
ASKER
I would like to thank everyone for their sggestions, but the solution to the problem was to update the operating system from 3.x on the Netscreen 5XP to v5.0r4. This immediately corrected the problem without any further intervention on my part.
I am asking to withrad this question.
I am asking to withrad this question.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Exchange SMTP server does name looks by itself (by default) unless you point it to your DNS box.
Add in that rule on the Netscreen and see if it works.