• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1801
  • Last Modified:

Not receiving mail on exchange with port 25 open. Exchange 2003 / Pix 506e

We have our MX records set to deliver mail here as priority 5, then to the old host as priority 15. Once I get 25 open properly it should come in no problem. I turned off fixup protocol smtp, set a static rule to go to the exchange server (, and allowed tcp traffic on port 25 through the ACL. I must be doing something wrong.

Here is my current configuration.

PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 auto
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password e8dnxwQsFhiGPRPq encrypted
passwd e8dnxwQsFhiGPRPq encrypted
hostname twhouse.com
domain-name twhouse.com
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol pptp 1723
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
access-list acl_out permit icmp any any
access-list acl_out permit tcp any host xxx.xxx.238.143 eq pptp
access-list acl_out permit gre any host xxx.xxx.238.143
access-list acl_out permit tcp any interface outside eq www
access-list acl_out permit udp any interface outside eq www
access-list acl_out permit tcp any interface outside eq https
access-list acl_out permit tcp any interface outside eq 993
access-list acl_out permit tcp any interface outside eq 123
access-list acl_out permit tcp any interface outside eq smtp
access-list 101 permit ip
access-list 102 permit ip
pager lines 24
logging on    
logging monitor debugging
logging buffered debugging
logging trap debugging
logging history debugging
logging host inside
icmp permit any outside
mtu outside 1500
mtu inside 1500
ip address outside xxx.xxx.238.143
ip address inside
ip audit info action alarm
ip audit attack action alarm
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list 101
nat (inside) 1 0 0
static (inside,outside) tcp interface www www netmask 0 0
static (inside,outside) tcp interface https https netmask 0 0
static (inside,outside) tcp interface 993 993 netmask 0 0
static (inside,outside) udp interface 993 993 netmask 0 0
static (inside,outside) udp interface 443 443 netmask 0 0
static (inside,outside) udp interface www www netmask 0 0
static (inside,outside) tcp interface pptp pptp netmask 0 0
static (inside,outside) tcp interface smtp smtp netmask 0 0
access-group acl_out in interface outside
route outside xxx.xxx.238.129 1
route inside 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
no snmp-server location
no snmp-server contact
snmp-server community 0192837465
no snmp-server enable traps
floodguard enable
sysopt connection permit-ipsec
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto map mymap 1 ipsec-isakmp
crypto map mymap 1 match address 102
crypto map mymap 1 set peer
crypto map mymap 1 set transform-set myset
crypto map mymap interface outside
isakmp enable outside
isakmp key ******** address netmask
isakmp keepalive 10
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash md5
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
telnet inside
telnet timeout 5
ssh xxx.yyy.84.134 outside
ssh timeout 5
console timeout 0
terminal width 80
: end  

External IP addresses masked for security
Keith Alabaster
EE Page Editor
  • 2
  • 2
2 Solutions
The PIX config looks fine. Try running the 'clear xlate' command.
penningtonjAuthor Commented:
That still didn't do it.

Here are the MX records ...

twhouse.com.      MX      IN      86400      twhexc.twhouse.com. [Preference = 5]
twhouse.com.      MX      IN      86400      mailserver.hollandcomputers.com. [Preference = 15]

Mail still comes through on the second server. I can telnet into port twenty five from within the network, but I can't from the outside. I'm not sure if I'm supposed to be able to from the outside, but thought I was add that piece of information.
penningtonjAuthor Commented:
Alright, the problem is that our ISP is blocking incoming on port 25.

We have access to another mail server outside the network. How can I have the admin of that server configure it to accept mail on 25, send it out an alternate port, and have my server accept it on that alternate port?
Sorry for the late reply. EE was playing up for a while.

How to configure exhcnage to listen on a different port - http://support.microsoft.com/kb/274842

How to configure the other mail server on the internet will vary depending on what mail server software it is running.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now