?
Solved

Messages hang in the SMTP queue in Exchange System Manager - An SMTP protocol error has occurred

Posted on 2007-04-10
4
Medium Priority
?
724 Views
Last Modified: 2010-04-09
How do I disable application layer filtering of SMTP traffic on my PIX firewall from the PDM?  I need to do this in order to fix a problem where outbound emails through Microsoft Exchange 2003 sits in the SMTP queue and then comes back with an error message, "An SMTP protocol error has occurred."

Some of the email goes out fine, but depending on the domain name, it may or may not sit in the queue and never get delivered.
0
Comment
Question by:cullendrea
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 18884816
With a PIX, there are a couple of issues that can cause this. Assuming you are running PIX 6.3x....
1 - smtp fixup. Did you disable this?
  no fixup protocol smtp
2 - outbound IP address. Is your exchange server's outgoing IP address the same as the inbound/MX record IP address?
 Example YES:
 static (inside,outside) <public ip> <private ip> netmask 255.255.255.255
 Example NO:
 global (outside) 1 interface
 nat (inside) 1 0 0 0
 static (inside,outside) tcp <MX public ip> smtp <private ip> smtp netmask 255.255.255.255

In the first example, all traffic both inbound and outbound from the server is bound to the same public IP. In the second example, inbound smtp traffic comes in to the MX public ip, but outbound email goes out as a dynamic xlate using the global ip address. Some upstream servers will not accept email coming from a different IP address than it finds with a MX record lookup for your domain.

3 - DNS fixup. Did you increase the dns size from default 512 to something bigger like 1024?
  fixup protocol dns maximum-length 512  <== Default
  fixup protocol dns maximum-length 1024 <== change to this

4 - If you are not using the latest PIX 6.3x OS, there are some bugs in the fixups. 6.3(1) is particularly buggy. Suggest updating to at very least 6.3(5) as most recent, most stable version.
5 - If you are using PIX 7.x OS, same issues with DNS inspect and the new esmtp inspect, same issue with inbound/outbound IP address differences..
0
 

Author Comment

by:cullendrea
ID: 18885210
Thank you for the suggestions.

I logged into the PIX and ran:
no fixup protocol smtp

The Exchange Server's outgoing IP address is different than the inbound MX record IP, but the nat rule and static commands had previously been run.

I did increase the DNS size to 1024 which helped with most but not all of the SMTP message queues.

The PIX OS is 6.3.4.

I still have the same problem only with wending to two different domain names now.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18885303
Progress is good, no?

>The Exchange Server's outgoing IP address is different than the inbound MX record IP,
As long as this is true, you will always have certain domains that simply will not accept email from you.
What does the current global/nat/static look like now?

>The PIX OS is 6.3.4
No big issues with this OS, but I'd still go ahead and upgrade to 6.3(5) if possible
0
 

Author Comment

by:cullendrea
ID: 18885441
The rest of the messages cleared out of the queue after a short period of time.  It sounds as if changing the maximum length of the fixup protocol for dns fixed it.  Thank you for your help.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
This video discusses moving either the default database or any database to a new volume.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question