[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 789
  • Last Modified:

Unreliable inbound email from Gmail.

Currently we are unable to receive email from certain gmail accounts. We do get 9 out of 10 messages from Gmail.com, the 1 out of ten leave a log of "Connected to 67.1xxx.xxx.xxx but connection died. (#4.4.2)"  at MessageLabs. We have been all over Exchange 2007 and spent hours with MessageLabs tech support and nobody can identify the reason for this odd behavior.


Our environment, Cisco ASA firewall,  Exchange 2007 EE, MessageLabs Spam Filtering, 4.5 m/b isp connection.

mtu on ASA is 1500 and we are not using any fixup

Anybody seen this before or have any thoughts as to what to check next???
0
ckirt
Asked:
ckirt
  • 5
  • 4
1 Solution
 
ckirtAuthor Commented:
After checking further with the end users, this problem pops up when someone at Gmail attempts to reply or forward a message back to our organization. Yes the reply to address is correct and works with other domains, just not gmail.
0
 
lrmooreCommented:
Do you have 1-1 static nat for public IP to exchange, or are you using port xlate and outbound could a different IP address?
Example:
Do you have something like this:
 static (inside,outside) pub.lic.ip.ad pri.vat.e.ip netmask 255.255.255.255 0 0
Or like this:
 static (inside,outside) tcp publicip smtp private ip smtp netmask 255.255.255.255 0 0
0
 
ckirtAuthor Commented:
We have
static (Inside, Outside) 67.XXX.XXX.XXX IRON netmask 255.255.255.255

Iron is the name of our mail server, so we have the first of your examples.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
lrmooreCommented:
OK. do you have an inspect policy to allow > 512 DNS ?
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 1024  <== anything > default 512?

0
 
lrmooreCommented:
Also, do you have inspect esmtp enabled?
   inspect esmtp

If yes, suggest disabling it and continue testing.
0
 
ckirtAuthor Commented:
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
 inspect esmtp
 
What is the command to stop inspecting esmtp? no inspect esmtp?
0
 
lrmooreCommented:
Suggest increasing greater than 512 and disable esmtp

policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 1024
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  no inspect esmtp
0
 
ckirtAuthor Commented:
Your right, just added this script to the asa and it worked like a charm. My email account has not gotten several messages from gmail that had been hanging out in MessageLabs queue for over a day.

policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 1024
policy-map global_policy
 class inspection_default
no inspect esmtp

 Thank you for the help, you made my day.
0
 
lrmooreCommented:
Glad to hear it!

- Cheers, mate!
0
 
kivelait1Commented:
LRMoore...thank you so much for posting the above Cisco ASA firewall statement fix.  However, we are using a pix version 5.  Can that statement be applied to a Pix firewall config?

Thank you much
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now