Solved

mail server problem smtp to lan works but does not reach internet mail boxes

Posted on 2006-06-11
86
2,373 Views
Last Modified: 2013-11-29
Hi,
I have a mail server that is running some antiquated software post.office, but the server software is probably irrelevant.
The OS is windows 2000
It is behind a router Cisco 2524 and between the router and the server is a PIX 506
The website is accessible from the internet and the mail server receives mail ok.
When mail is outgoing from the client in this case outlook it does not make it to any outside addresses such as hotmail, yahoo, gmail, and others as well.
It DOES send mail to all of the workstations on the LAN.
I am guessing that it is the firewall and or router, but I do not know how to verify.  It seems that it would have to be the firewall or router or mail would not be sent to local clients. I don't know if the firewall is simply dropping the mail or maybe does not know how to route it.  I can telnet into both devices.
Thank you Laura
0
Comment
Question by:lizardqueen007
  • 46
  • 16
  • 8
  • +6
86 Comments
 
LVL 38

Expert Comment

by:younghv
ID: 16880731
Hi Laura,
Do you have any documentation on which Ports that application uses to send and receive mail?
Since the mail can get in - and route to the LAN - it may be that the out-going port is blocked by one of your network devices.
Good Luck,
Vic
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 100 total points
ID: 16880931
To send mail out the the firewall/route must allow outbound TCP traffic from any port 1024 and above to port 25.

The mail server software must also be able to do DNS resolutions.

Some receiving e-mail server verify that the IP address that is talking to them resloves to a host name that matches the domain name sent on the HELO/EHLO commands.  So you also want to make sure that you have PTR records setup for the public IP address that your mail server uses.
0
 
LVL 10

Assisted Solution

by:naveedb
naveedb earned 60 total points
ID: 16880940
There could be few issues with outgoing e-mail.

Does the windows 2000 server has DNS Configured properly?

Does the inside sender receive Non-Delivery notice when they try to send e-mail to external users?

To verify SMTP issues with firewall, make sure port 25 is not blocked for outgoing traffic. Also, some ISPs do not allow port 25 for outgoing traffic unless you have a business account with them. You can test it by trying to send an e-mail manually from the server.

http://www.arnab.org/notes/using-telnet-to-send-mail-by-smtp

0
 
LVL 3

Assisted Solution

by:papimichel
papimichel earned 80 total points
ID: 16881246
make the following check:
go to start>run
cmd + Enter

telnet 65.54.244.136 25

if you recieve an announcment saying "Connect failed"
there might be a communication problem.
Then you'll have to check that outgoing connections on port 25 are allowed on the Firewall.

If the above check goes fine, there might be a DNS problem.
run the following command from the command prompt:
telnet mx1.hotmail.com 25
If it fails and shows "Connect Failed", then you have to check your DNS settings under TCP/IP settings in Network connections.

(addresses mentioned above are hotmail's mail servers)
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16881305
We have permission of the ISP as I have been on the phone with them it is a t1 line.
ptr is fine but when i telnet all i get is: 220 ***********************************************************22******0********
00*2**00***********************200**0***2*0***0*00
HELO or EHLO do not get a response.  I am testing this from my location on the internet because i do not have access to the lan at the moment-i am not at the office.
i got results from GFI Languard that said there were mx records and dnsstuff said it found MX record.  Also no HINFO records found. (whatever that means)
Do you know of an easy way to determine if my DNS is configured correctly?
0
 
LVL 10

Expert Comment

by:naveedb
ID: 16881366
You will need to test it at the Server where post.office is installed. Even if you are able to connect from your home, it will not give any information on your office.

Same applies to DNS.
0
 
LVL 3

Expert Comment

by:papimichel
ID: 16881374
try the following:
start>run>cmd
nslookup
set type=mx
hotmail.com

 this command must result with the following lines:
Server:  xxxxx.yyyyy.zzz
Address:  xxx.xxx.xxx.xxx

Non-authoritative answer:
Name:    hotmail.com
Addresses:  64.4.33.7, 64.4.32.7

the above lines mean that your computer quried the dns server with the domain name hotmail.com and it returned the ip addresses 64.4.33.7, 64.4.32.7

if you don't see the ip addresses that means that DNS is not configured properly.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16881381
Thank you
I will try that tomorrow and get back to you
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 80 total points
ID: 16881397
>HELO or EHLO do not get a response
This is due to the PIX firewall's fixup smtp feature. To disable it from the command line:
 pixfirewall#config t
 pixfirewall(config)#no fixup protocol smtp 25
 pixfirewall(config)#exit
 pixfirewall#write mem

Do you have any outbound access-lists on either the PIX or the router?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16881495
First Try to Disable the Mail Guard feature on the Cisco PIX firewall..! and see if it works ?

Second, Try to disable SMTP inspection on the firewall/router. I'm not sure what's the exact command to do so but you can contact cisco to give you the appropriate command...


Re-Check the configuration of the firewall ... Check this link..
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008032cd24.shtml
0
 
LVL 23

Expert Comment

by:Erik Bjers
ID: 16881876
Make sure you have the correct MX records for your mail server in your DNS (or who ever hosts your DNS), as well as the correct reversle lookup zones.

eb
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16882222
Ebjers, when I go to dnsstuff.com and do an email test it says that my mx records point to the correct ip address. Also the wibsite hosted on the same server is accesible by www.domainname.com
Thanks ebjers
0
 
LVL 3

Expert Comment

by:papimichel
ID: 16882239
as you described the problem, mail doesn't go out of your mail server, thus, there is no need to check MX configuration.
what you have to check is the outgoing line from the mail server's side.

0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16882246
moh10ly,
Thanks I will try that.  Do you know how to determine if mailguard is enabled or even available?
lrmoore -thanks for the specifics, I will put these to the test asap. Probably tuesday I will go to location.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16882310
The fixup "is" the mailguard feature of the PIX firewall
The results of your telnet session almost guarantees that this feature is enabled.
Use the commands in my previous post above to disable it.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16882321
Hi I am now able to telnet into server from home
250 srv-1.domain.COM
500 Command unknown: 'MAILFROM'
501 Usage: MAIL FROM:<sender>
503 Bad sequence of commands (specify MAIL first)
503 Bad sequence of commands (specify MAIL first)
500 Command unknown: 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'


I don not understand bad sequence of commands.   I tried rcpt to: me@otherdomain.com, but I get 503 bad sequence of commands.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16882366
ok exciting (never used telnet to send email) progress.  The email never arrived however!
Here's the telnet session:
250 Srv-1.domain.COM
500 Command unknown: 'MAILFROM'
501 Usage: MAIL FROM:<sender>
503 Bad sequence of commands (specify MAIL first)
250 Sender <laura@domain.com> Ok
250 Recipient <laura@other-domain.com> Ok
354 Ok Send data ending with <CRLF>.<CRLF>
250 Message received: 20060611233351421.AAA536@srv-1.domain.COM@srv-1.domain.com

Does this mean the problem is the firewall??
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16882376
telnet xxx 25
HELO dom.com
MAIL FROM:<aaaaaa>
RCPT TO:<bbbbb>
DATA
From: You
To: You
Subject: Test
"press enter"
yada
yada
yada
"press enter"
.
"press enter"
QUIT

Replace aaaaa with a valid e-mail address, it MUST be enclosed in <>.
Replace bbbbb with a valid e-mail address, it MUST be enclosed in <>.
Do not actually type "press enter" you should actually press the enter key.

Please note there is a period inbetween the last two "press enters", it is very important that you actually enter in a period there.




0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16882377
I can not disable smtp fixup from current location so I might be at a temporary impasse.
0
 
LVL 23

Assisted Solution

by:Mohammed Hamada
Mohammed Hamada earned 80 total points
ID: 16882391
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16882490
giltjr ,
thanks giltjr,   commands seem to work fine, but still no email sent to remote location.
220 ***********************************************************22******0********00*2**00***********************200************0*00

250 srv-1.domain.COM
250 Sender <laura@domain.com> Ok
250 Recipient <laura@other-domain.com> Ok
354 Ok Send data ending with <CRLF>.<CRLF>
250 Message received: 20060612004329687.AAA1632@srv-1.domain.COM@domain.com

obviously i am changing real domain name for security.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16882773
O.K.  Now do this same thing from your SMTP server, but telnet to port 25 to "other-domain.com" SMTP server.

To find out what it is, from your SMTP server enter the command:

     nslookup -type=mx other-domain.com


0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16883479
Giltjr,
what am I looking for? The oter-domain.com can be any of several that never receive the email message.  I will post here.

C:\Documents and Settings\admin> nslookup -type=mx other-domain.com
*** Can't find server name for address 192.168.1.1: Non-existent domain
*** Default servers are not available
Server:  UnKnown
Address:  192.168.1.1

Non-authoritative answer:
other-domain.com  MX preference = 10, mail exchanger = mail.other-domain

mail.other-domain     internet address = 66.155.155.155

C:\Documents and Settings\admin>
C:\Documents and Settings\admin> nslookup -type=mx domain.com
*** Can't find server name for address 192.168.1.1: Non-existent domain
*** Default servers are not available
Server:  UnKnown
Address:  192.168.1.1

Non-authoritative answer:
domain.com     MX preference = 10, mail exchanger = MAIL.domain.com

MAIL.domain.com        internet address = 66.100.xxx.xxx
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16883488
sorry for that I copied much space by mistake oops!
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16883496
Sorry again Giltjr,
I really misunderstood and did nslookup from home. I will telnet and attempt to nslookup from mail.domain.com server.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16883513
Giltjr,
I guess I will have to physically go to the mail server and use the command prompt to use nslookup.  I wan't to restate however that it doesn't matter where I send the mail on the internet it never arrives, but does arrive on the LAN (within the office)
Thanks
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16885145
If your SMTP server is unable to do name resolution correctly or to connect to any SMTP server, then no e-mail will ever get delivered.

Doing the nslookup from your SMTP server will show if it can do name resolution correctly.  Doing the telnet test from your SMTP server will show if it can connect to remote SMTP servers correctly.

If one of the tests fails, then you know where you problem is.  If they both work, then you will be able to hear me scratch my head for awhile. :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16885195
If there is a problem with name resolution on the server, there is one more fixup on the PIX Firewall that can be adjusted:

 default = fixup protocol dns maximum-length 512
 change to = fixup protocol dns maximum-length 1024

0
 
LVL 13

Expert Comment

by:prashsax
ID: 16885606
Can you telnet to port 25 from mail server.

Logon to Mail Server.

Goto command prompt.

type:
telnet mail.yahoo.com 25

If you can then your server can connect to outside world.

Try and send a mail manually as described by giltjr.

You can try and send mail to your yahoo.com mailbox.

If you recived that mail, then their is some problem with mail server and not in the network.

If you can't then problem is within the network.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16890124
Thank you for the excellent help everyone,
I will not be able to go to the premises to test until Wednesday.  I will try these things.  I can say that I can browse the internet from the server using the fqdn for any/most websites, but maybe this does not mean that the server is able to resolve all domain names.  I am currently using the qwest/isp provided DNS servers in the TCP/IP settings.
We have a domain controller on the premises, so maybe I should use it for dns instead of qwests addresses.  Clearly, I have things to learn about using DNS effectively, so I am cracking the books.  I was careful not to make the web server a domain controller, but the mail software (post.office), which is installed on the same computer, insisted that the computer be part of the domain.  This made me uncomfortable, because of my limited understanding of security implications.  So I was not certain on the proper way to configure DNS.  Should I use the domain controller as my DNS server?  And is nslookup an adequate way to test DNS?
Thank you everyone.
I will perform the nslookup ASAP
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16891017
The important part for DNS is that the SMTP server needs to be able to look up MX records and reslove host names.  However you do that, is up to you.  You can either configure the box that the SMTP server is running on to use the qwests reslovers or use your own internal ones.  As long as the SMTP server can make name resolution questions through your firewall the qwest reslovers it will work.

nslookup is the proper way to test name resolution on Windows.



0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16891201
giltjr,
thanks
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16909212
papimichel said:
try the following:
start>run>cmd
nslookup
set type=mx
hotmail.com

 this command must result with the following lines:
Server:  xxxxx.yyyyy.zzz
Address:  xxx.xxx.xxx.xxx

Non-authoritative answer:
Name:    hotmail.com
Addresses:  64.4.33.7, 64.4.32.7

the above lines mean that your computer quried the dns server with the domain name hotmail.com and it returned the ip addresses 64.4.33.7, 64.4.32.7

if you don't see the ip addresses that means that DNS is not configured properly.

I DID what was suggested and here is what the return was:

C:\Documents and Settings\Administrator
Default Server:  resolver1.qwest.net
Address:  205.171.3.65
> set type=mx
> hotmail.com
Server:  resolver1.qwest.net
Address:  205.171.3.65

OUR_DOMAIN.COM
        primary name server = NS45.WORL
        responsible mail addr = namehos
        serial  = 2004093000
        refresh = 10800 (3 hours)
        retry   = 3600 (1 hour)
        expire  = 604800 (7 days)
        default TTL = 7200 (2 hours)

Any ideas?  I found problems with the domain controller's dns which I am trying to resolve so the dns server in the tcp/ip properties is the one provided by my isp.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16910927
That response is what I would expect if you did:

     set type=SOA
     OUR_DOMAIN.COM


You got back your domains SOA record.  Are all of your computers setup  to use the same reslover?  It is almost like Qwest is not allowing you to do MX queries.  What happens if you:

    nslookup
    www.hotmail.com


0
 
LVL 13

Expert Comment

by:prashsax
ID: 16911167
You should never specify ISP DNS on the network card on Domain Controller.

Instead, you should specify your Internal DNS IP as Primary and as Secondary.

Then Put ISPs DNS as forwarders in your DNS server.

Then your DNS server will resolve all the records correctly.

0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16911473
Hello giltjr and prashsax,
I have now put the domain controller dns server as the only dns server in the tcp/ip settings.  Here is what I got from nslookup for hotmail:

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\Documents and Settings\Administrator>nslookup hotmail
Server:  srv-1
Address:  10.222.10.52

*** Srv-1 can't find hotmail: Non-existent domain

C:\Documents and Settings\Administrator>nslookup
Default Server:  srv-1
Address:  10.222.10.52

> hotmail
Server:  srv-1
Address:  10.222.10.52

*** srv-1 can't find hotmail: Non-existent domain
>
0
 
LVL 3

Expert Comment

by:papimichel
ID: 16911497
try nslookup hotmail.com
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16911585
Sorry!  I've been up all night.  Here's hotmail.com


C:\Documents and Settings\Administrator>nslookup hotmail.com
Server:  srv-1
Address:  10.220.10.52

Non-authoritative answer:
Name:    hotmail.com
Addresses:  64.4.33.7, 64.4.32.7


C:\Documents and Settings\Administrator>nslookup
Default Server:  srv-1
Address:  10.220.10.52

> hotmail.com
Server:  srv-1
Address:  10.220.10.52

Non-authoritative answer:
Name:    hotmail.com
Addresses:  64.4.32.7, 64.4.33.7

0
 
LVL 13

Expert Comment

by:prashsax
ID: 16911616
Now, you can start looking MX records.

nslookup
>set type=mx
>hotmail.com

This should return the MX record for hotmail.com domain.

If it does, then your DNS is working properly.

0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16911653

> set type=mx
> hotmail.com
Server:  srv-1
Address:  10.220.10.52

Non-authoritative answer:
hotmail.com     MX preference = 5, mail exchanger = mx4.hotmail.com
hotmail.com     MX preference = 5, mail exchanger = mx1.hotmail.com
hotmail.com     MX preference = 5, mail exchanger = mx2.hotmail.com
hotmail.com     MX preference = 5, mail exchanger = mx3.hotmail.com

hotmail.com     nameserver = ns1.msft.net
hotmail.com     nameserver = ns2.msft.net
hotmail.com     nameserver = ns3.msft.net
hotmail.com     nameserver = ns4.msft.net
hotmail.com     nameserver = ns5.msft.net
mx1.hotmail.com internet address = 64.4.50.50
mx1.hotmail.com internet address = 65.54.244.8
mx1.hotmail.com internet address = 65.54.244.136
mx1.hotmail.com internet address = 65.54.245.8
mx2.hotmail.com internet address = 65.54.245.40
mx2.hotmail.com internet address = 65.54.190.50
mx2.hotmail.com internet address = 65.54.244.40
mx2.hotmail.com internet address = 65.54.244.168
mx3.hotmail.com internet address = 64.4.50.179
mx3.hotmail.com internet address = 65.54.244.72
mx3.hotmail.com internet address = 65.54.244.200
mx3.hotmail.com internet address = 65.54.245.72
mx4.hotmail.com internet address = 65.54.190.179
mx4.hotmail.com internet address = 65.54.244.104
mx4.hotmail.com internet address = 65.54.244.232
mx4.hotmail.com internet address = 65.54.245.104
ns1.msft.net    internet address = 207.68.160.190
ns2.msft.net    internet address = 65.54.240.126
ns3.msft.net    internet address = 213.199.144.151
>
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16911672
Yes, your DNS in working fine now.

Just try and send emails now.

They should reach to the destination.

0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16911697
thanks I will try, because I have been getting mx lookup timeouts in the logs
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 13

Expert Comment

by:prashsax
ID: 16911771
The timeouts were due to incorrect DNS setup.

Now this should work.

0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16911797
I am sorry to say that no mail is arriving to three different addresses including hotmail.com
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16911834
I got one error back saying 5.7.1 relaying denied
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16911851
Can you do a telnet from your mail server to one of the mail servers of hotmail.com

e.g

telnet mx1.hotmail.com 25

If this works, then their is something wrong either on your Mail Server or your Outlook Config.

Second test, try and telnet on port 25 on your mail server itself.

From some client PC.

Telnet Mail_Server_IP 25

this should open a black window. If it doesn't then your mail server is running a firewall.


0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16911902
i just looked in the log and it said: smtp-deliver: warning: mx lookup for hotmail.com timed out
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16911904
So, this shows your Mail Server is configured not to relay mails.

You need to specify your Internal LAN subnet in relay permit list.

I know how to do it on exchange, Their should be some way to do it on your server as well.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16911957
What is the DNS server on the Mail Server.

It should be pointing to your Internal DNS server only and not the ISPs.

0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16911979
I will try the telnets, but I only get a relay error on one address.  I am sending from the mail server.  I tried allowing ALL relays and I still got an error on this particular email address.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16912002
So, you mean that you are able to send mails to yahoo.com and gmail.com , but get relay error for just hotmail.com.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16912019
I am unable to connect via telnet to: mx1.hotmail.com on port 25
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16912037
No mail arrives at any location, but I do not receive relay bounce messages except for the one address.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16912055
I can telnet from a client to the mail server.
0
 
LVL 13

Accepted Solution

by:
prashsax earned 100 total points
ID: 16912067
Check you firewall for access-list.

It could be possible that firewall is blocking the hotmail.com's IP address.

Use tracetcp.

It will tell you on which hop your are being blocked.

http://tracetcp.sourceforge.net/

Syntax:
tracetcp mx1.hotmail.com:25 -m 30

This will show you the hops to hotmail.com

Then compare it with normal traceroute.

Syntax:
tracert mx1.hotmail.com
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16912094
Use this from Mail server, as you cannot connect from mail server to mx1.hotmail.com
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16912244
I am getting request timed out from tracetpt.  I posted with a similar issue regarding tracert and everyone told me that it does not matter.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16912263
C:\Documents and Settings\Administrator>tracetcp.exe mx1.hotmail.com:25 -m 30

Tracing route to 64.4.50.50 [mc1-reserved.bay6.hotmail.com] on port 25
Over a maximum of 30 hops.
1       *       *       *       Request timed out.
2       *       *       *       Request timed out.
3       *       *       *       Request timed out.
4       *       *       *       Request timed out.
5       *       *       *       Request timed out.
6       *       *       *       Request timed out.
7       *       *       *       Request timed out.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16912311
Here is the other post, but it's a mess!
http://www.experts-exchange.com/Networking/Q_21880379.html
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16912333
Well tracetcp does matter.

It seems their is a antivirus installed on your mail server which is blocking connection to port 25.

Just check, If its McaFee it sure does this.

Check if some firewall(Software) is installed on it or any other antivirus is install which is blocking port 25 connections.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16912369
I am using AVG on the mail server and no other spyware, malware type utilities.  We are behind a pix firewall and I have disabled smtp fixup also icmp is set for any any.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16912424
Does you PIX have a rule for SMTP outbound access.

It should have a rule defined for your mail server to use SMTP.

Source:       Mail Server
Destination: ANY
Port:           SMTP(25)


0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16912425
I have just  disabled the avg email plugin and still get the same timed out.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16912433
I do not think the pix has a rule for outbound.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16912445
I can telnet to the pix 506.  do you know the command to find this out?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16912463
Have you checked your firewall settings and make sure that the mail guard is disabled ?
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16912495
yes mail guard is disabled and conduit smtp 25 any
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16912517
Your PIX is not allowing the connection outside.

just to be sure, try and telnet to mx1.hotmail.com on port 25.

If you can't then its sure your pix is not allowing the smtp packets.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16912543
I also am behind a 2524 router. and I have not configure any outbound, because I am not sure how to do it.  Is it possible that the router is the problem?
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16912577
First resolve the mx1.hotmail.com to its IP.

Then,
Telnet to router.

enable

then

telnet HOTMAIL_IP 25

this should connect.

Else paste the router config here, Just make sure to alter Public IP address.

0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 16912638
Try to reconfigure your pix firewall, follow the instructions in this website.
http://www.velocityreviews.com/forums/t28986-pix-firewall.html
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16912901
Please tell me command to get desired output from router and pix.  For instance do you want show running-config from router?  What do you want to see from PIX.  I am very new to cisco commands.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16912989
router#show running-config
Building configuration...

Current configuration:
!
version 11.0
service udp-small-servers
service tcp-small-servers
!
hostname router
!
enable secret xxxxxxxxxxxxxxxxxxxxxxxxx
enable passwordxxxxxxxxxxxxxxxxxxxxx
!
!
interface Ethernet0
 ip address 99.99.99.99 255.255.255.224
!
interface Serial0
 ip address 99.99.99.99 255.255.255.252
!
interface Serial1
 no ip address
 shutdown
!
ip name-server 222.222.3.65
ip name-server 222.222.2.65
ip route 0.0.0.0 0.0.0.0 99.99.99.99
!
line con 0
line aux 0
 transport input all
line vty 0 4
 password xxxxxxxxxxxxxxxxx
 login
!
end
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16913129
pix# show configure
: Saved
:
PIX Version 5.1(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100

hostname pix
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol sqlnet 1521
fixup protocol http 81
no fixup protocol smtp 25
names
pager lines 24
logging on
no logging timestamp
no logging standby
no logging console
no logging monitor
no logging buffered
no logging trap
no logging history
logging facility 20
logging queue 512
interface ethernet0 10baset
interface ethernet1 10baset
mtu outside 1500
mtu inside 1500
ip address outside 99.99.99.99 255.255.255.224
ip address inside 192.168.1.1 255.255.255.0
arp timeout 14400
global (outside) 99.99.99.99
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) 99.99.99.99 192.168.1.22 netmask 255.255.255.255 0 0
conduit permit icmp any any
conduit permit tcp host 99.99.99.99 eq smtp any
conduit permit tcp host 99.99.99.99 eq www any
conduit permit tcp host 99.99.99.99 eq 4899 any
route outside 0.0.0.0 0.0.0.0 99.99.99.99 1
timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00
timeout rpc 0:10:00 h323 0:05:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
isakmp identity hostname
telnet xx.xx.xx.xx 255.255.255.255 inside
telnet xx.xx.xx.xx 255.255.255.255 inside
telnet timeout 15
terminal width 80
Cryptochecksum:1a91d054a2c72a88a3092214f089c465
pix#
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16913139
I need some sleep-any help will be appreciated when I wake up. :-)  thanks again   Laura
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16913449
Router requires no configuration. It has no ACLs.

With this config on PIX,
are you able to browse internet?

I mean could you do:

telnet google.com 80

This should bring a blank screen.

Try adding this line to conduits.

conduit permit tcp 192.168.1.22 eq smtp any

192.168.1.22 is your MAIL server.



0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16916522
ok i have entered the commands
conduit permit tcp 192.168.1.22 eq 25 any
and
conduit permit tcp 111.111.111.111 eq 25 any
111.111.111.111 is the outside ip address
The reason i did not us conduit permit tcp 192.168.1.22 is because the pix would NOT accept the command for some reason
Thanks
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16916607
I am still getting all time outs except for last hop when using tracert or tracetcp.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16916759
As per this cisco document:http://www.cisco.com/warp/public/110/pixtrace.html  
I also entered the following commands to the pix:
access-group 101 in interface outside
access-list 101 permit icmp any host 209.165.200.246 unreachable
access-list 101 permit icmp any host 209.165.200.246 time-exceeded
access-list 101 permit icmp any host 209.165.200.246 echo-reply
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16916769
People have been working hard on this question. If there is a way to add points, let me know.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16916890
When do: telnet mx1.hotmail.com 25
I get:
220 bay0-mc5-f14.bay0.hotmail.com Sending unsolicited commercial or b
to Microsoft's computer network is prohibited. Other restrictions are
ttp://privacy.msn.com/Anti-spam/. Violations will result in use of eq
ated in California and other states. Thu, 15 Jun 2006 17:30:34 -0700
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16917181
That means you can connect outbound to a remote SMTP server.  Hopefully you did this from your SMTP server.

This means that you have now got the SMTP server set to reslove names and connect to remote SMTP server.  You should, hopefully, be working now.

One last possible issue is that some SMTP servers are configured will not accept e-mail unless you have PTR record setup to reslove to a FQDN that is within the domain that your SMTP server is configured to send e-mail for.  Not all e-mail servers do this, just some.
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16917625
Hi all Thanks for the excellent help
The Mail server is now working-
a couple things that I did were:
1) configure a dns server on the mail server instead of using the domain controller's dns server
2) add the following commands to the pix router.
conduit permit tcp host 10.110.10.20 eq smtp any
conduit permit icmp host 63.145.241.36 any unreachable
conduit permit icmp host 63.145.241.36 any time-exceeded
conduit permit icmp host 63.145.241.36 any echo-reply
0
 
LVL 1

Author Comment

by:lizardqueen007
ID: 16919829
The Mail server is now working well.   As soon as I installed DNS on the mail server instead of using the domain controller's DNS, it started working.  One of the problems diagnosing I believe was the firewall blocking tracert and Nslookup.
Laura
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16925134
You may want to have the SMTP server test using your domain controllers DNS server again.  Of course you should this ONLY after you test doing the nslookup functions on your domain controller to make sure it can reslove external hosts names correctly.

In a Windows world it is best to use the DNS server on your domain controllers when ever possible.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Issue with  IP address/conflict 10 47
HP Laser Jet Errors 10 56
server plus 2 47
Not able to route between subnets 8 48
Let’s list some of the technologies that enable smooth teleworking. 
Resolve DNS query failed errors for Exchange
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now