Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Enabling Mail server access Behind PIX

Posted on 2004-09-19
7
Medium Priority
?
364 Views
Last Modified: 2013-11-16
Hello All

I have a ADSL line with a Fixed Ip address and we have a domain name XXXX.com.I have hosted a Exchange mail server behind PIX 515E firewall.This mail server is collecting the mails from the domain.

Everything is working fine and i also can able to send and receive mails from my LAN users to internet and Vice Versa..The problem i started facing where in my users when they wants to check the mails when they are on the move outside...They want to check the emails with Outlook express as a mail client with incoming and outgoing server configured as "XXXX.com"..

They can able to ping to the domain from outside which resolves to our Global IP address we have..even i can receive the mails in the outlook (when i am on move) but when i try to send the mail for outside user (if i send mail to the Internal user it works fine that means something i need to check on the PIX..i believe) i get error message which says that the relaying is denied through the SMTP server.

Whts configuration i need to check in PIX for enabling the sending the mails from outside to the external users?

Can somebody help?

Regards

Samir.
0
Comment
Question by:samprav
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 8

Accepted Solution

by:
Marakush earned 750 total points
ID: 12095189
samprav,

There is a a feature on the Cisco PIX called 'mailhost' or 'mailguard' (Depending on ver.) It prevents the EHLO or AUTH command from reaching the exchange server. You need to disable it.

Use the command line:

fixup protocol smtp 25

This should enable or disable mail guard or mail host.

Marakush
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12095198
>relaying is denied through the SMTP server
This is the key. There is nothing wrong with your PIX config if you can send/receive email to the world.
This is a function of the Exchange server. It is set up to only accept mail from inside LAN ip's.

You might want to cross-post this question in the Exchange server Topic Area.
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12095244
Hi samprav,

Firstly, you will need to allow port 25 to be forwarded on to your Exchange server.  From the above, it sounds like you've done that.

By default, Exchange is configured not to allow SMTP relay (and a jolly good thing it is too).  You need to change that, BUT you must make sure that you require authentication from the clients when you do that.

Otherwise your server will become an open relay, and that's a bad thing.

There's an article at : http://www.jsiinc.com/SUBJ/tip4800/rh4881.htm that explains how to PREVENT SMTP relay.
You allow it by following much the same instructions.  To summarise it:

Start Exchange System Manager.

Expand the organization_name object, and then expand the Servers node. Expand the server_name object of the server on which you want to ALLOW mail relay, and then expand the Protocols node.

Expand the SMTP node, right-click the virtual SMTP server on which you want to ALLOW mail relay, and then click Properties .

Click the Access tab, and then click Authentication .

Click to select either the Basic Authentication check box, or the Windows security package check box, or both of these check boxes, and then click to clear the Anonymous access check box. When you select the Basic Authentication check box, you need to provide a default user domain. Click OK .

If you click to select the Anonymous access check box and do not select any other check box on this page, all of the users and computers can gain access to the Exchange 2000 SMTP server. This setting disables inbound authentication. **************  THIS IS IMPORTANT **************

If you click to select either the Basic Authentication check box, or the Windows security package check box, or both of these check boxes, and you click to clear the Anonymous access check box, authentication is required to gain access to the Exchange 2000 SMTP server. If the user or computer does not successfully authenticate, the user or computer cannot send mail to the server.

Click Relay .

In the Relay Restriction dialog box, several options are available. The Only the list below option is enabled by default; the list below this option is empty. The Allow all computers which successfully authenticate to relay, regardless of the list above option is also enabled by default, which allows users and computers that can authenticate with the server to relay through the server. This option allows the Exchange 2000 server to relay mail from your internal network clients. Note that if you allow only anonymous access, the server cannot authenticate users or computers.

Click Add . You can allow a single computer, a group of computers, or an entire domain to relay through the server by making the appropriate selection in the Computer dialog box.

Allowing access by IP address or domain name is helpful for users who do not authenticate with the Exchange server (for example, in an Internet service provider [ISP] implementation).

Click Cancel if you do not want to make any changes.

In the Relay Restrictions dialog box, click OK .

Click Apply , and then click OK in the Default SMTP Virtual Server Properties dialog box.


You will then need to ensure that all of your clients outside the network use SMTP authentication when connecting to the server.
You can find out how to do this at : http://support.microsoft.com/?kbid=310884

Does that help?

0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 
LVL 16

Expert Comment

by:samccarthy
ID: 12095438
If you are running Exchange and using Exchange Mailboxes, Outlook Express is not your answer as it is a POP3 client.  Configuring that would download the mail to their PC and while you can have it remain on the server, any sent mail, etc., will not be updated nor would you be able to utilize the extra functionality that Exchange offers.

Have you tried OWA???  Just enable Port 80 on your firewall and Protocol 47 (GRE) and shoot it to the IP of the Mail server.    Your clients can logon at http:\\xxx.domain\exchange and get their mail from anywhere on the Internet.

The issue you are having now is your Exchange server sees these outside clients as trying to relay mail.  scampgb does a good job of how to configure this area.

Good Luck
Steve
0
 
LVL 4

Expert Comment

by:sriwi
ID: 12095570
Read this article, it will help you configure your exchange properly:

http://www.msexchange.org/tutorials/MF005.html


When you are on the move and using outlook, if you connecting to your company through VPN and Exchange, you shouldn't have that problem, if you use pop3 service, then what is your SMTP server that you are using, it should be using the ISP SMTP server that you are connecting to. (which looks like the problem that you have at the moment).

and also what is the default sender profile on your laptop ?

cheers

0
 

Author Comment

by:samprav
ID: 12096907
Thnaks for the support..

I disabled fixup protocol smtp 25  now its working fine..But how can i have the fearure of mail gaurd also enabled with the SMTP relaying enabled...Bcause Mailgaurd can add more security for my network..

regards

Samir.
0
 
LVL 8

Expert Comment

by:Marakush
ID: 12097916
samprav,

Sorry... That's the only workaround I know about with Exchange and the PIX. Maybe post this under security with the orgional message, my messsage and your last comment. Someone else might have another workaround for you.

Marakush
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
Considering cloud tradeoffs and determining the right mix for your organization.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

671 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question