We help IT Professionals succeed at work.

Not receiving mail on exchange with port 25 open. Exchange 2003 / Pix 506e

penningtonj
penningtonj asked
on
1,820 Views
Last Modified: 2013-11-16
We have our MX records set to deliver mail here as priority 5, then to the old host as priority 15. Once I get 25 open properly it should come in no problem. I turned off fixup protocol smtp, set a static rule to go to the exchange server (192.168.1.3), and allowed tcp traffic on port 25 through the ACL. I must be doing something wrong.

Here is my current configuration.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password e8dnxwQsFhiGPRPq encrypted
passwd e8dnxwQsFhiGPRPq encrypted
hostname twhouse.com
domain-name twhouse.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names        
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host xxx.xxx.238.143 eq pptp
access-list acl_out permit gre any host xxx.xxx.238.143
access-list acl_out permit tcp any interface outside eq www
access-list acl_out permit udp any interface outside eq www
access-list acl_out permit tcp any interface outside eq https
access-list acl_out permit tcp any interface outside eq 993
access-list acl_out permit tcp any interface outside eq 123
access-list acl_out permit tcp any interface outside eq smtp
access-list 101 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
access-list 102 permit ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
pager lines 24
logging on    
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging host inside 192.168.1.3
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.238.143 255.255.255.128
ip address inside 192.168.1.254 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp interface www 192.168.1.3 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface https 192.168.1.3 https netmask 255.255.255.255 0 0
static (inside,outside) tcp interface 993 192.168.1.3 993 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 993 192.168.1.3 993 netmask 255.255.255.255 0 0
static (inside,outside) udp interface 443 192.168.1.3 443 netmask 255.255.255.255 0 0
static (inside,outside) udp interface www 192.168.1.3 www netmask 255.255.255.255 0 0
static (inside,outside) tcp interface pptp 192.168.1.3 pptp netmask 255.255.255.255 0 0
static (inside,outside) tcp interface smtp 192.168.1.3 smtp netmask 255.255.255.255 0 0
access-group acl_out in interface outside
route outside 0.0.0.0 0.0.0.0 xxx.xxx.238.129 1
route inside 10.0.100.0 255.255.255.0 192.168.1.251 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community 0192837465
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 1 ipsec-isakmp
crypto map mymap 1 match address 102
crypto map mymap 1 set peer 72.149.219.154
crypto map mymap 1 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address 72.149.219.154 netmask 255.255.255.255
isakmp keepalive 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 5
ssh xxx.yyy.84.134 255.255.255.255 outside
ssh timeout 5
console timeout 0
terminal width 80
Cryptochecksum:c4d3eef28843bfb0d0465d7c9714712d
: end  


External IP addresses masked for security
Keith Alabaster
EE Page Editor
Comment
Watch Question

CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
That still didn't do it.

Here are the MX records ...

twhouse.com.      MX      IN      86400      twhexc.twhouse.com. [Preference = 5]
twhouse.com.      MX      IN      86400      mailserver.hollandcomputers.com. [Preference = 15]

Mail still comes through on the second server. I can telnet into port twenty five from within the network, but I can't from the outside. I'm not sure if I'm supposed to be able to from the outside, but thought I was add that piece of information.

Author

Commented:
Alright, the problem is that our ISP is blocking incoming on port 25.

We have access to another mail server outside the network. How can I have the admin of that server configure it to accept mail on 25, send it out an alternate port, and have my server accept it on that alternate port?
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.