Solved

Enabling Mail server access Behind PIX

Posted on 2004-09-19
7
347 Views
Last Modified: 2013-11-16
Hello All

I have a ADSL line with a Fixed Ip address and we have a domain name XXXX.com.I have hosted a Exchange mail server behind PIX 515E firewall.This mail server is collecting the mails from the domain.

Everything is working fine and i also can able to send and receive mails from my LAN users to internet and Vice Versa..The problem i started facing where in my users when they wants to check the mails when they are on the move outside...They want to check the emails with Outlook express as a mail client with incoming and outgoing server configured as "XXXX.com"..

They can able to ping to the domain from outside which resolves to our Global IP address we have..even i can receive the mails in the outlook (when i am on move) but when i try to send the mail for outside user (if i send mail to the Internal user it works fine that means something i need to check on the PIX..i believe) i get error message which says that the relaying is denied through the SMTP server.

Whts configuration i need to check in PIX for enabling the sending the mails from outside to the external users?

Can somebody help?

Regards

Samir.
0
Comment
Question by:samprav
7 Comments
 
LVL 8

Accepted Solution

by:
Marakush earned 250 total points
ID: 12095189
samprav,

There is a a feature on the Cisco PIX called 'mailhost' or 'mailguard' (Depending on ver.) It prevents the EHLO or AUTH command from reaching the exchange server. You need to disable it.

Use the command line:

fixup protocol smtp 25

This should enable or disable mail guard or mail host.

Marakush
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12095198
>relaying is denied through the SMTP server
This is the key. There is nothing wrong with your PIX config if you can send/receive email to the world.
This is a function of the Exchange server. It is set up to only accept mail from inside LAN ip's.

You might want to cross-post this question in the Exchange server Topic Area.
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12095244
Hi samprav,

Firstly, you will need to allow port 25 to be forwarded on to your Exchange server.  From the above, it sounds like you've done that.

By default, Exchange is configured not to allow SMTP relay (and a jolly good thing it is too).  You need to change that, BUT you must make sure that you require authentication from the clients when you do that.

Otherwise your server will become an open relay, and that's a bad thing.

There's an article at : http://www.jsiinc.com/SUBJ/tip4800/rh4881.htm that explains how to PREVENT SMTP relay.
You allow it by following much the same instructions.  To summarise it:

Start Exchange System Manager.

Expand the organization_name object, and then expand the Servers node. Expand the server_name object of the server on which you want to ALLOW mail relay, and then expand the Protocols node.

Expand the SMTP node, right-click the virtual SMTP server on which you want to ALLOW mail relay, and then click Properties .

Click the Access tab, and then click Authentication .

Click to select either the Basic Authentication check box, or the Windows security package check box, or both of these check boxes, and then click to clear the Anonymous access check box. When you select the Basic Authentication check box, you need to provide a default user domain. Click OK .

If you click to select the Anonymous access check box and do not select any other check box on this page, all of the users and computers can gain access to the Exchange 2000 SMTP server. This setting disables inbound authentication. **************  THIS IS IMPORTANT **************

If you click to select either the Basic Authentication check box, or the Windows security package check box, or both of these check boxes, and you click to clear the Anonymous access check box, authentication is required to gain access to the Exchange 2000 SMTP server. If the user or computer does not successfully authenticate, the user or computer cannot send mail to the server.

Click Relay .

In the Relay Restriction dialog box, several options are available. The Only the list below option is enabled by default; the list below this option is empty. The Allow all computers which successfully authenticate to relay, regardless of the list above option is also enabled by default, which allows users and computers that can authenticate with the server to relay through the server. This option allows the Exchange 2000 server to relay mail from your internal network clients. Note that if you allow only anonymous access, the server cannot authenticate users or computers.

Click Add . You can allow a single computer, a group of computers, or an entire domain to relay through the server by making the appropriate selection in the Computer dialog box.

Allowing access by IP address or domain name is helpful for users who do not authenticate with the Exchange server (for example, in an Internet service provider [ISP] implementation).

Click Cancel if you do not want to make any changes.

In the Relay Restrictions dialog box, click OK .

Click Apply , and then click OK in the Default SMTP Virtual Server Properties dialog box.


You will then need to ensure that all of your clients outside the network use SMTP authentication when connecting to the server.
You can find out how to do this at : http://support.microsoft.com/?kbid=310884

Does that help?

0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 16

Expert Comment

by:samccarthy
ID: 12095438
If you are running Exchange and using Exchange Mailboxes, Outlook Express is not your answer as it is a POP3 client.  Configuring that would download the mail to their PC and while you can have it remain on the server, any sent mail, etc., will not be updated nor would you be able to utilize the extra functionality that Exchange offers.

Have you tried OWA???  Just enable Port 80 on your firewall and Protocol 47 (GRE) and shoot it to the IP of the Mail server.    Your clients can logon at http:\\xxx.domain\exchange and get their mail from anywhere on the Internet.

The issue you are having now is your Exchange server sees these outside clients as trying to relay mail.  scampgb does a good job of how to configure this area.

Good Luck
Steve
0
 
LVL 4

Expert Comment

by:sriwi
ID: 12095570
Read this article, it will help you configure your exchange properly:

http://www.msexchange.org/tutorials/MF005.html


When you are on the move and using outlook, if you connecting to your company through VPN and Exchange, you shouldn't have that problem, if you use pop3 service, then what is your SMTP server that you are using, it should be using the ISP SMTP server that you are connecting to. (which looks like the problem that you have at the moment).

and also what is the default sender profile on your laptop ?

cheers

0
 

Author Comment

by:samprav
ID: 12096907
Thnaks for the support..

I disabled fixup protocol smtp 25  now its working fine..But how can i have the fearure of mail gaurd also enabled with the SMTP relaying enabled...Bcause Mailgaurd can add more security for my network..

regards

Samir.
0
 
LVL 8

Expert Comment

by:Marakush
ID: 12097916
samprav,

Sorry... That's the only workaround I know about with Exchange and the PIX. Maybe post this under security with the orgional message, my messsage and your last comment. Someone else might have another workaround for you.

Marakush
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now