ckirt
asked on
Unreliable inbound email from Gmail.
Currently we are unable to receive email from certain gmail accounts. We do get 9 out of 10 messages from Gmail.com, the 1 out of ten leave a log of "Connected to 67.1xxx.xxx.xxx but connection died. (#4.4.2)" at MessageLabs. We have been all over Exchange 2007 and spent hours with MessageLabs tech support and nobody can identify the reason for this odd behavior.
Our environment, Cisco ASA firewall, Exchange 2007 EE, MessageLabs Spam Filtering, 4.5 m/b isp connection.
mtu on ASA is 1500 and we are not using any fixup
Anybody seen this before or have any thoughts as to what to check next???
Our environment, Cisco ASA firewall, Exchange 2007 EE, MessageLabs Spam Filtering, 4.5 m/b isp connection.
mtu on ASA is 1500 and we are not using any fixup
Anybody seen this before or have any thoughts as to what to check next???
Do you have 1-1 static nat for public IP to exchange, or are you using port xlate and outbound could a different IP address?
Example:
Do you have something like this:
static (inside,outside) pub.lic.ip.ad pri.vat.e.ip netmask 255.255.255.255 0 0
Or like this:
static (inside,outside) tcp publicip smtp private ip smtp netmask 255.255.255.255 0 0
Example:
Do you have something like this:
static (inside,outside) pub.lic.ip.ad pri.vat.e.ip netmask 255.255.255.255 0 0
Or like this:
static (inside,outside) tcp publicip smtp private ip smtp netmask 255.255.255.255 0 0
ASKER
We have
static (Inside, Outside) 67.XXX.XXX.XXX IRON netmask 255.255.255.255
Iron is the name of our mail server, so we have the first of your examples.
static (Inside, Outside) 67.XXX.XXX.XXX IRON netmask 255.255.255.255
Iron is the name of our mail server, so we have the first of your examples.
OK. do you have an inspect policy to allow > 512 DNS ?
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024 <== anything > default 512?
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024 <== anything > default 512?
Also, do you have inspect esmtp enabled?
inspect esmtp
If yes, suggest disabling it and continue testing.
inspect esmtp
If yes, suggest disabling it and continue testing.
ASKER
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect esmtp
What is the command to stop inspecting esmtp? no inspect esmtp?
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns migrated_dns_map_1
inspect esmtp
What is the command to stop inspecting esmtp? no inspect esmtp?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Your right, just added this script to the asa and it worked like a charm. My email account has not gotten several messages from gmail that had been hanging out in MessageLabs queue for over a day.
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
no inspect esmtp
Thank you for the help, you made my day.
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum 1024
policy-map global_policy
class inspection_default
no inspect esmtp
Thank you for the help, you made my day.
Glad to hear it!
- Cheers, mate!
- Cheers, mate!
LRMoore...thank you so much for posting the above Cisco ASA firewall statement fix. However, we are using a pix version 5. Can that statement be applied to a Pix firewall config?
Thank you much
Thank you much
ASKER