PIX blocking SMTP request from the inside to the outside.

Post a sanitized configuration on the pix?

Cheers,
Rajesh

Below is the running-config.

                                                 Thank You
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password EEtyji/acyn/O8Zt encrypted
passwd EEtyji/acyn/O8Zt encrypted
hostname pixfirewall
domain-name pix.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list restrict_outbound permit ip any any
access-list restrict_outbound deny ip 219.239.227.0 255.255.255.0 any
access-list allow_inbound permit tcp any interface outside eq 3389
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any interface outside eq ssh
access-list allow_inbound permit tcp any host 216.254.X.X eq www
access-list allow_inbound permit tcp any host 216.254.X.X eq ssh
access-list allow_inbound permit tcp any host 216.254.X.X eq h323
access-list allow_inbound permit tcp any host 216.254.X.X eq 5060
no pager
logging on
logging timestamp
logging monitor debugging
logging trap notifications
logging queue 24
logging host inside 10.1.1.23
icmp deny any outside
mtu outside 1500
mtu inside 1500
ip address outside 216.254.X.X 255.255.255.0
ip address inside 10.1.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
ip local pool ippool 10.1.2.1-10.1.2.254
pdm location 10.1.1.6 255.255.255.255 inside
pdm logging informational 100
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 10.1.1.0 255.255.255.0 0 0
static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 00
static (inside,outside) tcp interface ssh 10.1.1.6 ssh netmask 255.255.255.255 00
static (inside,outside) tcp interface 3389 10.1.1.23 3389 netmask 255.255.255.255 0 0
static (inside,outside) 216.254.X.X 10.1.1.7 netmask 255.255.255.255 0 0
static (inside,outside) 216.254.X.X 10.1.1.24 netmask 255.255.255.255 0 0
access-group allow_inbound in interface outside
access-group restrict_outbound in interface inside
route outside 0.0.0.0 0.0.0.0 216.254.64.1 1
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication ssh console LOCAL
http server enable
http 10.1.1.0 255.255.255.0 inside
snmp-server host inside 10.1.1.23
snmp-server host inside 10.1.1.2
no snmp-server location
no snmp-server contact
snmp-server community xxxxxxxx
snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10 set transform-set myset
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap client authentication LOCAL
crypto map mymap interface outside
isakmp enable outside
isakmp identity address
isakmp nat-traversal 20
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup vpn3000 address-pool ippool
vpngroup vpn3000 default-domain pix.com
vpngroup vpn3000 split-tunnel 101
vpngroup vpn3000 idle-time 1800
vpngroup vpn3000 password ********
vpngroup vmr2 address-pool ippool
vpngroup vmr2 default-domain pix.com
vpngroup vmr2 split-tunnel 101
vpngroup vmr2 idle-time 1800
vpngroup vmr2 password ********
telnet timeout 30
ssh 10.1.1.0 255.255.255.0 inside
ssh timeout 60
console timeout 0
username vmr2 password xxxxxxxxxxxxxx encrypted privilege 15
username victor password xxxxxxxxxxxxxx encrypted privilege 3
privilege show level 15 command access-group
privilege clear level 15 command access-group
terminal width 80
banner login Hello, Victor!
banner motd Unauthorized access and use of this network/device will be prosecuted.
Cryptochecksum:4288a93ba14a130177ef1884c8f8e00a
: end

Have you configured natting for the mail server? If you need only outbound mail, ensure that the mail server's IP is configured to use at least the nat 0 range. If you need inbound mail also, you need to do a one to one static nat for the mail server.

1. As a basic check, telnet to port 25 of the destination (gmail.com) from the mail server.
2. If it doesn't work, telnet to port 25 of destination IP (gmail.com's mx entry). This will eliminate name resolution problems.
3. Do a trace to the destination IP to eliminate local routing problems.

If all three tests pass, then look at your firewall config. You have a statement permitting any any from the inside. Shouldn't be an access list issue. When you telnet to gmail.com from the mail server, do a show localhost -h (ip address of the mail server) and post the output.

Hope this helps.

You can also try removing the acl from the inside interface

>access-group restrict_outbound in interface inside
 
It's not doing anything because your "restrict_outbound" acl =
>access-list restrict_outbound permit ip any any

Permit ip any any is the default behavior without any acl.

Agree with Rajesh that you don't have any access-list entry to permit inbound SMTP, which you should have for your mail server.

What kind of mail server do you have? If you have Exchange, you might need to disable the smtp fixup
 no fixup protocol smtp 25

Hello,

    > access-list allow_inbound permit tcp any host 216.254.X.X eq SMTP ??? Missing?

 However, I do not know if I want to this because wouldnt this be a security hole. By doing this people from the internet will be able to use my server as a relay for spamming?

 

The mail server is this workstation > static (inside,outside) tcp interface www 10.1.1.6 www netmask 255.255.255.255 00  .

Victor,

  Is that a threat? Because the purpose of a mail server is to talk to every other mail server in the world. If you don't allow it how will it work?

Cheers,
Rajesh

>static (inside,outside) tcp interface wmtp 10.1.1.6 smtp netmask 255.255.255.255
Sorry, that should be

static (inside,outside) tcp interface smtp 10.1.1.6 smtp netmask 255.255.255.255
                                                  ^
 

Ok first of all I did everything that was said here to be done such as

static (inside,outside) tcp interface smtp 10.1.1.6 smtp netmask 255.255.255.255

> access-list allow_inbound permit tcp any host 216.254.X.X eq SMTP

And I also removed the access_restrict outbound and still does not work for what I am trying to do. Let me explain, I have a software which I am using to monitor different devices on the network the software is ment to send an email when some alert triggers it. In the software there is a field where I have to put the smtp gateway which is 10.1.1.6. However, when the software sends the email I do not recieve an email in my (ex. gmail.com) on the mail server it states that 10.1.1.1(PIX) rejected the request. However if I send an email from mail server which is a IBM Risc/6000 to an outside email address it works fine.  

Victor,

  Ok, the scenario is different now. Please clarify this;

Is there more information in the log other than "rejected" ? If so can you post the exact error message?

Cheers,
Rajesh

Below is a copy of the IBM Risc/6000 email server log. I replaced my companys name with OrganizationName.

Reporting-MTA: dns; OrganizationName
Arrival-Date: Sun, 25 Dec 2005 20:29:33 -0500

Final-Recipient: RFC822; xxxxxx@gmail.com
Action: delayed
Status: 4.4.1
Remote-MTA: DNS; [10.1.1.1]
Last-Attempt-Date: Mon, 26 Dec 2005 00:46:16 -0500
Will-Retry-Until: Fri, 30 Dec 2005 20:29:33 -0500
From MAILER-DAEMON Mon Dec 26 00:46:16 2005
Received: from localhost (localhost) by OrganizationName (AIX5.3/8.11.6p2/8.11.0) id jBQ5kGS20724; Mon, 26 Dec 2005 00:46:16 -0
500
Date: Mon, 26 Dec 2005 00:46:16 -0500
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <200512260546.jBQ5kGS20724@OrganizationName>
To: postmaster
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="jBQ5kGS20724.1135575976/OrganizationName"
Subject: Postmaster notify: see transcript for details
Auto-Submitted: auto-generated (postmaster-notification)

This is a MIME-encapsulated message

--jBQ5kGS20724.1135575976/OrganizationName

The original message was received at Sun, 25 Dec 2005 20:29:33 -0500
from [10.1.1.23]
with id jBQ1TXR23746

   ----- The following addresses had transient non-fatal errors -----
<xxxxxxx@gmail.com>

   ----- Transcript of session follows -----
<xxxxxxxx@gmail.com>... Deferred: Connection refused by [10.1.1.1]
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old
550 5.1.1 <culo>... User unknown

--jBQ5kGS20724.1135575976/OrganizationName
Content-Type: message/delivery-status

Reporting-MTA: dns; OrganizationName
Arrival-Date: Sun, 25 Dec 2005 20:29:33 -0500

Final-Recipient: RFC822; xxxxxxxx@gmail.com
Action: delayed
Status: 4.4.1
Remote-MTA: DNS; [10.1.1.1]
Last-Attempt-Date: Mon, 26 Dec 2005 00:46:16 -0500
Will-Retry-Until: Fri, 30 Dec 2005 20:29:33 -0500

--jBQ5kGS20724.1135575976/OrganizationName
Content-Type: message/rfc822

Return-Path: <culo>
@
From MAILER-DAEMON Mon Dec 26 00:46:16 2005
Received: from localhost (localhost) by OrganizationName (AIX5.3/8.11.6p2/8.11.0) id jBQ5kGS20724; Mon, 26 Dec 2005 00:46:16 -0
500
Date: Mon, 26 Dec 2005 00:46:16 -0500
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <200512260546.jBQ5kGS20724@OrganizationName>
To: postmaster
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="jBQ5kGS20724.1135575976/OrganizationName"
Subject: Postmaster notify: see transcript for details
Auto-Submitted: auto-generated (postmaster-notification)

This is a MIME-encapsulated message

--jBQ5kGS20724.1135575976/OrganizationName

The original message was received at Sun, 25 Dec 2005 20:29:33 -0500
from [10.1.1.23]
with id jBQ1TXR23746

   ----- The following addresses had transient non-fatal errors -----
<xxxxxxxxx@gmail.com>

   ----- Transcript of session follows -----
<xxxxxxxxxx@gmail.com>... Deferred: Connection refused by [10.1.1.1]
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old
550 5.1.1 <culo>... User unknown
From MAILER-DAEMON Mon Dec 26 00:46:16 2005
Received: from localhost (localhost) by OrganizationName (AIX5.3/8.11.6p2/8.11.0) id jBQ5kGS20724; Mon, 26 Dec 2005 00:46:16 -0
500
Date: Mon, 26 Dec 2005 00:46:16 -0500
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <200512260546.jBQ5kGS20724@OrganizationName>
To: postmaster
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="jBQ5kGS20724.1135575976/OrganizationName"
Subject: Postmaster notify: see transcript for details
Auto-Submitted: auto-generated (postmaster-notification)

This is a MIME-encapsulated message

--jBQ5kGS20724.1135575976/OrganizationName

The original message was received at Sun, 25 Dec 2005 20:29:33 -0500
from [10.1.1.23]
with id jBQ1TXR23746

   ----- The following addresses had transient non-fatal errors -----
<xxxxxxxxxxx@gmail.com>

   ----- Transcript of session follows -----
<xxxxxxxx@gmail.com>... Deferred: Connection refused by [10.1.1.1]
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old
550 5.1.1 <culo>... User unknown

--jBQ5kGS20724.1135575976/OrganizationName
Content-Type: message/delivery-status

Reporting-MTA: dns; OrganizationName
Arrival-Date: Sun, 25 Dec 2005 20:29:33 -0500

Final-Recipient: RFC822; xxxxxxxxxxx@gmail.com
Action: delayed
Status: 4.4.1
Remote-MTA: DNS; [10.1.1.1]
Last-Attempt-Date: Mon, 26 Dec 2005 00:46:16 -0500
Will-Retry-Until: Fri, 30 Dec 2005 20:29:33 -0500

--jBQ5kGS20724.1135575976/OrganizationName
Content-Type: message/rfc822

Return-Path: <culo>
Received: from Mangement ([10.1.1.23]) by OrganizationName (AIX5.3/8.11.6p2/8.11.0) with SMTP id jBQ1TXR23746 for <xxxxxxx@gmail.com>; Sun, 25 Dec 2005 20:29:33 -0500
Message-Id: <200512260129.jBQ1TXR23746@OrganizationName>
Date: Sun, 25 December 2005 20:32:13 -0500
From: "culo" <culo>
Subject: Hello CUlo
To: "xxxxxxx@gmail.com" <xxxxxxxxxx@gmail.com>
MIME-Version: 1.0

CUDHFdshfds

--jBQ5kGS20724.1135575976/OrganizationName--


From MAILER-DAEMON Mon Dec 26 00:46:16 2005
Received: from localhost (localhost) by OrganizationName (AIX5.3/8.11.6p2/8.11.0) id jBQ5kGT20724; Mon, 26 Dec 2005 00:46:16 -0
500
Date: Mon, 26 Dec 2005 00:46:16 -0500
From: Mail Delivery Subsystem <MAILER-DAEMON>
Message-Id: <200512260546.jBQ5kGT20724@OrganizationName>
To: postmaster
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
        boundary="jBQ5kGT20724.1135575976/OrganizationName"
Subject: Postmaster notify: see transcript for details
Auto-Submitted: auto-generated (postmaster-notification)

This is a MIME-encapsulated message

--jBQ5kGT20724.1135575976/OrganizationName

The original message was received at Sun, 25 Dec 2005 20:43:14 -0500
from [10.1.1.23]
with id jBQ1hER23806

   ----- The following addresses had transient non-fatal errors -----
<xxxxxxxxxx@gmail.com>

   ----- Transcript of session follows -----
<xxxxxxxxxx@gmail.com>... Deferred: Connection refused by [10.1.1.1]
Warning: message still undelivered after 4 hours
Will keep trying until message is 5 days old
550 5.1.1 <uhouhuhohou>... User unknown

--jBQ5kGT20724.1135575976/OrganizationName
Content-Type: message/delivery-status

Reporting-MTA: dns; OrganizationName
Arrival-Date: Sun, 25 Dec 2005 20:43:14 -0500

Final-Recipient: RFC822; xxxxxxxx@gmail.com
Action: delayed
Status: 4.4.1
Remote-MTA: DNS; [10.1.1.1]
Last-Attempt-Date: Mon, 26 Dec 2005 00:46:16 -0500
Will-Retry-Until: Fri, 30 Dec 2005 20:43:14 -0500

--jBQ5kGT20724.1135575976/OrganizationName
Content-Type: message/rfc822

Return-Path: <uhouhuhohou>
Received: from Mangement ([10.1.1.23]) by OrganizationName (AIX5.3/8.11.6p2/8.11.0) with SMTP id jBQ1hER23806 for <xxxxxxxx@gmail.com>; Sun, 25 Dec 2005 20:43:14 -0500
Message-Id: <200512260143.jBQ1hER23806@OrganizationName>
Date: Sun, 25 December 2005 20:45:54 -0500
From: "uhouhuhohou" <uhouhuhohou>
Subject: ihuhiuhuh
To: "xxxxxxxxxxxx@gmail.com" <xxxxxxxxxxxx@gmail.com>
MIME-Version: 1.0

oihih

--jBQ5kGT20724.1135575976/OrganizationName--

Final-Recipient: RFC822; xxxxxxxx@gmail.com
Action: delayed
Status: 4.4.1
Remote-MTA: DNS; [10.1.1.1]
Last-Attempt-Date: Mon, 26 Dec 2005 00:46:16 -0500
Will-Retry-Until: Fri, 30 Dec 2005 20:43:14 -0500

I'm not a mail server person, but anyways, please look at the above message, 4th line. By any chance is the mail server trying to route to 10.1.1.1 as other mail server (Because it says PIX refused connection)?

Cheers,
Rajesh

The only reason why the mail server is routing to 10.1.1.1 is because that is the gateway which is the PIX. So do you believe that the mail server thinks that 10.1.1.1 is another mail server? What do you believe I should do?

                                           Thank You

It does appear as though the mail server is trying to connect with the PIX to hand off the oubound mail. Of course that will be refused.
Do you have 10.1.1.1 configured anywhere on that server to be anything other than the default gateway?

No that is the only thing that 10.1.1.1 is configured for on that server as the default gateway.

> It does appear as though the mail server is trying to connect with the PIX to hand off the oubound mail. Of course that will be refused.

Why would the PIX refuse outbound mail?

Something in the email server setup is taking this smtp email sent by your monitoring station and "relaying" it to the PIX. This is not acceptible to the PIX. Do you have anit-relay features setup on the mail server? This is clearly now something in the mail server setup. It sends mail that it generates itself just fine, but this anomalous behavior is only when relaying email from another internal host.
I would focus my attention now on the server configuration and what it does with email that it thinks it just needs to relay and not generated within..
 

>Why would the PIX refuse outbound mail?
Because it is not a mail relay host. It appears as though the mail server is trying to connect directly to the PIX as if the PIX is another mail server. This is absolutely not a function of the PIX and the connect will be refused every time.

Thnx Irmoore for confirming it. Internal Mail Server is thinking that PIX is the GMAIL server.

Again, I'm not sure.

In your Network Software, do you have anywhere, where you can specify the 'Sender Address' ? If so, try giving a legitimate account.

Cheers,
Rajesh

I did put a Sender Address and still did not work. I also tried a different workstation and I try to send an email from Outlook to different email address that is not gmail.com and I still recieve the same error on the email server?

This has to do with your mail server settings Victor. Because even if you don't want to receive mails from any other domain, you should be able to send it.

Cheers,
Rajesh

The AIX OS should work this all out for itself. Sounds like the 10.1.1.1 address is being passed with the results of your app before it hits the IBM. I would suggest if it were otherwise you would not be able to send a message out from the IBM at all as you'd get the same message.

What is the network app you are using?

Also excuse my ignorance but if I were you I would try putting the SMTP allow access-list in place thinking that may be for the mail communication to be complete, those mail servers need to talk ?

This is a stupid post and I know that but since I don't know the internals of mail server, I'll definitely give it a shot. 2 minutes time taken!

Cheers,
Rajesh

Oops, wrong window. Sorry

Keith,

  It is the right window, based on your comment it looks like you are talking this :-)

Cheers,
Rajesh

I did put the smtp allow access-list before below is a copy of my access-list.

access-list 101 permit ip 10.1.1.0 255.255.255.0 10.1.2.0 255.255.255.0
access-list allow_inbound permit tcp any interface outside eq 3389
access-list allow_inbound permit tcp any interface outside eq www
access-list allow_inbound permit icmp any any source-quench
access-list allow_inbound permit tcp any interface outside eq ssh
access-list allow_inbound permit tcp any host 216.254.X.X eq www
access-list allow_inbound permit tcp any host 216.254.X.X eq ssh
access-list allow_inbound permit tcp any host 216.254.X.X eq h323
access-list allow_inbound permit tcp any host 216.254.X.X eq 5060
access-list allow_inbound permit tcp any host 216.254.X.X eq smtp   (  MAIL SERVER private IP 10.1.1.6)

:) O yes.

Anyone else has anymore ideas?

As several people have noted, it does seem like the mail-server is trying to connect to the PIX. If you need verification it could be a good idea to watch the logs (the PIX logs that is)..
If you do verify that it is so, I'm a bit lost on mail-server config - only one I ever worked with was the one in IIS - here the terms are "smart-host", and "send direct" where you want the latter option.

I can't quite follow if you have a problem with inbound mail too, or don't really want those..  :)  The above access-list looks fine for inbound, provided there is a "matching" static and DNS MX record.

Well boys I got the mail server sending email out there was a problem with the mail server relaying the emails to the firewall. However, I am having trouble receiving email from the outside, I am going to open another window for this problem.

                                       Thank all for all your help.