Solved

Enabling Mail server access Behind PIX

Posted on 2004-09-19
7
349 Views
Last Modified: 2013-11-16
Hello All

I have a ADSL line with a Fixed Ip address and we have a domain name XXXX.com.I have hosted a Exchange mail server behind PIX 515E firewall.This mail server is collecting the mails from the domain.

Everything is working fine and i also can able to send and receive mails from my LAN users to internet and Vice Versa..The problem i started facing where in my users when they wants to check the mails when they are on the move outside...They want to check the emails with Outlook express as a mail client with incoming and outgoing server configured as "XXXX.com"..

They can able to ping to the domain from outside which resolves to our Global IP address we have..even i can receive the mails in the outlook (when i am on move) but when i try to send the mail for outside user (if i send mail to the Internal user it works fine that means something i need to check on the PIX..i believe) i get error message which says that the relaying is denied through the SMTP server.

Whts configuration i need to check in PIX for enabling the sending the mails from outside to the external users?

Can somebody help?

Regards

Samir.
0
Comment
Question by:samprav
7 Comments
 
LVL 8

Accepted Solution

by:
Marakush earned 250 total points
ID: 12095189
samprav,

There is a a feature on the Cisco PIX called 'mailhost' or 'mailguard' (Depending on ver.) It prevents the EHLO or AUTH command from reaching the exchange server. You need to disable it.

Use the command line:

fixup protocol smtp 25

This should enable or disable mail guard or mail host.

Marakush
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12095198
>relaying is denied through the SMTP server
This is the key. There is nothing wrong with your PIX config if you can send/receive email to the world.
This is a function of the Exchange server. It is set up to only accept mail from inside LAN ip's.

You might want to cross-post this question in the Exchange server Topic Area.
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12095244
Hi samprav,

Firstly, you will need to allow port 25 to be forwarded on to your Exchange server.  From the above, it sounds like you've done that.

By default, Exchange is configured not to allow SMTP relay (and a jolly good thing it is too).  You need to change that, BUT you must make sure that you require authentication from the clients when you do that.

Otherwise your server will become an open relay, and that's a bad thing.

There's an article at : http://www.jsiinc.com/SUBJ/tip4800/rh4881.htm that explains how to PREVENT SMTP relay.
You allow it by following much the same instructions.  To summarise it:

Start Exchange System Manager.

Expand the organization_name object, and then expand the Servers node. Expand the server_name object of the server on which you want to ALLOW mail relay, and then expand the Protocols node.

Expand the SMTP node, right-click the virtual SMTP server on which you want to ALLOW mail relay, and then click Properties .

Click the Access tab, and then click Authentication .

Click to select either the Basic Authentication check box, or the Windows security package check box, or both of these check boxes, and then click to clear the Anonymous access check box. When you select the Basic Authentication check box, you need to provide a default user domain. Click OK .

If you click to select the Anonymous access check box and do not select any other check box on this page, all of the users and computers can gain access to the Exchange 2000 SMTP server. This setting disables inbound authentication. **************  THIS IS IMPORTANT **************

If you click to select either the Basic Authentication check box, or the Windows security package check box, or both of these check boxes, and you click to clear the Anonymous access check box, authentication is required to gain access to the Exchange 2000 SMTP server. If the user or computer does not successfully authenticate, the user or computer cannot send mail to the server.

Click Relay .

In the Relay Restriction dialog box, several options are available. The Only the list below option is enabled by default; the list below this option is empty. The Allow all computers which successfully authenticate to relay, regardless of the list above option is also enabled by default, which allows users and computers that can authenticate with the server to relay through the server. This option allows the Exchange 2000 server to relay mail from your internal network clients. Note that if you allow only anonymous access, the server cannot authenticate users or computers.

Click Add . You can allow a single computer, a group of computers, or an entire domain to relay through the server by making the appropriate selection in the Computer dialog box.

Allowing access by IP address or domain name is helpful for users who do not authenticate with the Exchange server (for example, in an Internet service provider [ISP] implementation).

Click Cancel if you do not want to make any changes.

In the Relay Restrictions dialog box, click OK .

Click Apply , and then click OK in the Default SMTP Virtual Server Properties dialog box.


You will then need to ensure that all of your clients outside the network use SMTP authentication when connecting to the server.
You can find out how to do this at : http://support.microsoft.com/?kbid=310884

Does that help?

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 16

Expert Comment

by:samccarthy
ID: 12095438
If you are running Exchange and using Exchange Mailboxes, Outlook Express is not your answer as it is a POP3 client.  Configuring that would download the mail to their PC and while you can have it remain on the server, any sent mail, etc., will not be updated nor would you be able to utilize the extra functionality that Exchange offers.

Have you tried OWA???  Just enable Port 80 on your firewall and Protocol 47 (GRE) and shoot it to the IP of the Mail server.    Your clients can logon at http:\\xxx.domain\exchange and get their mail from anywhere on the Internet.

The issue you are having now is your Exchange server sees these outside clients as trying to relay mail.  scampgb does a good job of how to configure this area.

Good Luck
Steve
0
 
LVL 4

Expert Comment

by:sriwi
ID: 12095570
Read this article, it will help you configure your exchange properly:

http://www.msexchange.org/tutorials/MF005.html


When you are on the move and using outlook, if you connecting to your company through VPN and Exchange, you shouldn't have that problem, if you use pop3 service, then what is your SMTP server that you are using, it should be using the ISP SMTP server that you are connecting to. (which looks like the problem that you have at the moment).

and also what is the default sender profile on your laptop ?

cheers

0
 

Author Comment

by:samprav
ID: 12096907
Thnaks for the support..

I disabled fixup protocol smtp 25  now its working fine..But how can i have the fearure of mail gaurd also enabled with the SMTP relaying enabled...Bcause Mailgaurd can add more security for my network..

regards

Samir.
0
 
LVL 8

Expert Comment

by:Marakush
ID: 12097916
samprav,

Sorry... That's the only workaround I know about with Exchange and the PIX. Maybe post this under security with the orgional message, my messsage and your last comment. Someone else might have another workaround for you.

Marakush
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
anyconnect password change 2 33
Stream live video from Raspberry Pi camera 22 115
How to make my old USB printer wireless? 71 154
Looking for open port with Telnet 5 30
Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now