Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Enabling Mail server access Behind PIX

Posted on 2004-09-19
7
Medium Priority
?
366 Views
Last Modified: 2013-11-16
Hello All

I have a ADSL line with a Fixed Ip address and we have a domain name XXXX.com.I have hosted a Exchange mail server behind PIX 515E firewall.This mail server is collecting the mails from the domain.

Everything is working fine and i also can able to send and receive mails from my LAN users to internet and Vice Versa..The problem i started facing where in my users when they wants to check the mails when they are on the move outside...They want to check the emails with Outlook express as a mail client with incoming and outgoing server configured as "XXXX.com"..

They can able to ping to the domain from outside which resolves to our Global IP address we have..even i can receive the mails in the outlook (when i am on move) but when i try to send the mail for outside user (if i send mail to the Internal user it works fine that means something i need to check on the PIX..i believe) i get error message which says that the relaying is denied through the SMTP server.

Whts configuration i need to check in PIX for enabling the sending the mails from outside to the external users?

Can somebody help?

Regards

Samir.
0
Comment
Question by:samprav
7 Comments
 
LVL 8

Accepted Solution

by:
Marakush earned 750 total points
ID: 12095189
samprav,

There is a a feature on the Cisco PIX called 'mailhost' or 'mailguard' (Depending on ver.) It prevents the EHLO or AUTH command from reaching the exchange server. You need to disable it.

Use the command line:

fixup protocol smtp 25

This should enable or disable mail guard or mail host.

Marakush
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12095198
>relaying is denied through the SMTP server
This is the key. There is nothing wrong with your PIX config if you can send/receive email to the world.
This is a function of the Exchange server. It is set up to only accept mail from inside LAN ip's.

You might want to cross-post this question in the Exchange server Topic Area.
0
 
LVL 15

Expert Comment

by:scampgb
ID: 12095244
Hi samprav,

Firstly, you will need to allow port 25 to be forwarded on to your Exchange server.  From the above, it sounds like you've done that.

By default, Exchange is configured not to allow SMTP relay (and a jolly good thing it is too).  You need to change that, BUT you must make sure that you require authentication from the clients when you do that.

Otherwise your server will become an open relay, and that's a bad thing.

There's an article at : http://www.jsiinc.com/SUBJ/tip4800/rh4881.htm that explains how to PREVENT SMTP relay.
You allow it by following much the same instructions.  To summarise it:

Start Exchange System Manager.

Expand the organization_name object, and then expand the Servers node. Expand the server_name object of the server on which you want to ALLOW mail relay, and then expand the Protocols node.

Expand the SMTP node, right-click the virtual SMTP server on which you want to ALLOW mail relay, and then click Properties .

Click the Access tab, and then click Authentication .

Click to select either the Basic Authentication check box, or the Windows security package check box, or both of these check boxes, and then click to clear the Anonymous access check box. When you select the Basic Authentication check box, you need to provide a default user domain. Click OK .

If you click to select the Anonymous access check box and do not select any other check box on this page, all of the users and computers can gain access to the Exchange 2000 SMTP server. This setting disables inbound authentication. **************  THIS IS IMPORTANT **************

If you click to select either the Basic Authentication check box, or the Windows security package check box, or both of these check boxes, and you click to clear the Anonymous access check box, authentication is required to gain access to the Exchange 2000 SMTP server. If the user or computer does not successfully authenticate, the user or computer cannot send mail to the server.

Click Relay .

In the Relay Restriction dialog box, several options are available. The Only the list below option is enabled by default; the list below this option is empty. The Allow all computers which successfully authenticate to relay, regardless of the list above option is also enabled by default, which allows users and computers that can authenticate with the server to relay through the server. This option allows the Exchange 2000 server to relay mail from your internal network clients. Note that if you allow only anonymous access, the server cannot authenticate users or computers.

Click Add . You can allow a single computer, a group of computers, or an entire domain to relay through the server by making the appropriate selection in the Computer dialog box.

Allowing access by IP address or domain name is helpful for users who do not authenticate with the Exchange server (for example, in an Internet service provider [ISP] implementation).

Click Cancel if you do not want to make any changes.

In the Relay Restrictions dialog box, click OK .

Click Apply , and then click OK in the Default SMTP Virtual Server Properties dialog box.


You will then need to ensure that all of your clients outside the network use SMTP authentication when connecting to the server.
You can find out how to do this at : http://support.microsoft.com/?kbid=310884

Does that help?

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 18
ID: 12095438
If you are running Exchange and using Exchange Mailboxes, Outlook Express is not your answer as it is a POP3 client.  Configuring that would download the mail to their PC and while you can have it remain on the server, any sent mail, etc., will not be updated nor would you be able to utilize the extra functionality that Exchange offers.

Have you tried OWA???  Just enable Port 80 on your firewall and Protocol 47 (GRE) and shoot it to the IP of the Mail server.    Your clients can logon at http:\\xxx.domain\exchange and get their mail from anywhere on the Internet.

The issue you are having now is your Exchange server sees these outside clients as trying to relay mail.  scampgb does a good job of how to configure this area.

Good Luck
Steve
0
 
LVL 4

Expert Comment

by:sriwi
ID: 12095570
Read this article, it will help you configure your exchange properly:

http://www.msexchange.org/tutorials/MF005.html


When you are on the move and using outlook, if you connecting to your company through VPN and Exchange, you shouldn't have that problem, if you use pop3 service, then what is your SMTP server that you are using, it should be using the ISP SMTP server that you are connecting to. (which looks like the problem that you have at the moment).

and also what is the default sender profile on your laptop ?

cheers

0
 

Author Comment

by:samprav
ID: 12096907
Thnaks for the support..

I disabled fixup protocol smtp 25  now its working fine..But how can i have the fearure of mail gaurd also enabled with the SMTP relaying enabled...Bcause Mailgaurd can add more security for my network..

regards

Samir.
0
 
LVL 8

Expert Comment

by:Marakush
ID: 12097916
samprav,

Sorry... That's the only workaround I know about with Exchange and the PIX. Maybe post this under security with the orgional message, my messsage and your last comment. Someone else might have another workaround for you.

Marakush
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question