• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 450
  • Last Modified:

Postfix is different inside than outside?

I can't get my postfix to work correctly.
When I connect inside the server at localhost I have something like:

root@SFTSRVDB01:/etc/postfix# telnet 192.168.96.200 25
Trying 192.168.96.200...
Connected to mail.domain.com.
Escape character is '^]'.
220 mail.domain.com ESMTP Postfix (Ubuntu)
ehlo localhost
250-mail.domain.com
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-AUTH LOGIN PLAIN
250-AUTH=LOGIN PLAIN
250 8BITMIME


When I try to connect outside, I dont have nothing similar.. "ehlo" command does not work for example..
220 ******************************************
ehlo mail.domain.com
502 Error: command not implemented


This does not make sense for me, can it be a firewall port that isnt opened?
0
efegue
Asked:
efegue
2 Solutions
 
grbladesCommented:
You are able to make a connection so it isnt a firewall issue.

Can you run 'postconf -n' and post the output here.
0
 
basicinstinctCommented:
some guy here had the same problem: http://archives.neohapsis.com/archives/postfix/2005-02/thread.html#706

There's a thread called: "EHLO command not implemented from external connections "
0
 
grbladesCommented:
I suppose it could be a firewall issue if from outside you are being redirected to an incorrect server.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
grbladesCommented:
basicinstinct is probably correct if you are running a Cisco PIX or ASA firewall.
To disable the smtp inspection do one of the following depending on what version of software you are running on the firewall :-

IOS version 6 or below :-
no fixup smtp 25


IOS 7 and above
policy-map global_policy
 class inspection_default
  no inspect esmtp
0
 
Cyclops3590Commented:
grblades is correct.  This is a cisco firewall issue, but am willing to bet you are running pre-7.x version of PIX OS as 7.x and beyond does inspection on esmtp which ehlo and other subsequent commands are apart of.  Thus you need to turn of the mailguard inspection in order to use the esmtp commands you want.

Basically, Cisco's mailguard enforces the smtp rfc standard for commands.  It also filters out any characters that aren't essential to the smtp communication; reason why you get all the asterisks and only the numbers for the return code of the command being issued.  

Also, the command is
no fixup protocol smtp 25

at least on mine, you have to enter the protocol keyword part of the command or you get an error
0
 
efegueAuthor Commented:
root@SFTSRVDB01:/etc/postfix# postconf -n
alias_database = hash:/etc/aliases
alias_maps = hash:/etc/aliases
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
config_directory = /etc/postfix
home_mailbox = Maildir/
inet_interfaces = all
inet_protocols = all
mailbox_command =
mailbox_size_limit = 0
mydestination = mail.domain.com, localhost
myhostname = mail.domain.com
mynetworks = 127.0.0.0/8
myorigin = $mydomain
recipient_delimiter = +
relayhost =
smtp_tls_session_cache_database = btree:${queue_directory}/smtp_scache
smtpd_banner = $myhostname ESMTP $mail_name (Ubuntu)
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain =
smtpd_sasl_security_options =
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_session_cache_database = btree:${queue_directory}/smtpd_scache
smtpd_use_tls = yes
virtual_alias_domains = domain.com
virtual_alias_maps = hash:/etc/postfix/virtual


Yes the server is behind a Cisco Firewall (PIX OS)..
I'll have a look at it then!

Thanks a lot for the suggestions.
0
 
efegueAuthor Commented:
ok, it was really the Cisco..

I gave 400 points for grblades for the right answer and 100 points for Cyclops3590 for the right command, only "protocol" was missing..

Thanks both ;)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now