Issues receiving mail

Thanks for responding.
The server can send mail inside and outside, but cannot receive mail from outside.
I connect to the server thru telnet from the outside and receive...
220*********************

cannot type anything after that, however if I hit enter key it does give me the unrecognized command.

My apologies,
I telent from the outside to the domain/server with issues. I get&
telnet mail.domain.com 25
220************
Ehlo
500 command unrecognized
Helo
500 command unrecognized
Mail from: user@domain.com
500 command unrecognized
[ENTER]
500 command unrecognized

strange, unfortunately I'm not familiar with smartmailer...

Thank you for your response.

That's just it...
I don't believe it to be a smartermail issue, although I could be mistaken. I have had the smartertools team look into what's going on, and have gotten nowhere there as well. They cannot find anything wrong. DNS resolves to the correct addresses, and all records are there. Inside the network mail flows with no issues. however from outside the network it does not make it in. I believe it to be the firewall, however do not know what would be blocking. I have 8 IP addresses one of which is hosting an exchange server, and am having no issues with mail through Exchange. the 3rd IP is smarter mail, and that's where the problem is. Have shut down the Exchange lines in hopes that it would at least open smartermail to the outside. did not work. Have moved smartermail to alternate IP (external). Did not work. Have moved smartermail from one server to another (internal). Did not work. What am I missing, since exchange runs without issues, and smartermail does not? One other factor. Smartermail is running on a virtual server (2005). Have moved it from virtual to a physical server. Did not work. Ideas please?

What do the SmarterMail log files tell you? Look at the smtp log file. It should be under the SmarterMail/Logs directory.

I have enabled detailed logs. However no outside hits on the server. All activity is from inside server(s). It's my understanding that some mail destined for the smartermail server is in a queue on an outside exchange server, and I hope to get those logs Tuesday. With any luck will post them then.

However any other ideas to fill the time would be awesome. :)

Thank you for your time.

In the meen time, for your reading plaesure. :)
I have a couple of different bounce messages.

<test@smartermailserver.com>:
Sorry, I wasn't able to establish an SMTP connection. (#4.4.1) I'm not going to try again; this message has been in the queue too long.
-----------------------------------------------------------------------------------------

Reporting-MTA: dns;mail.outsidedomain.com
Final-Recipient: rfc822;test@smartermailserver.com
Action: delayed
Status: 4.4.7
Will-Retry-Until: Sun, 27 Jan 2008 17:23:51 -0600
X-Display-Name: test@smartermailserver.com

I have followed up on DNS (a and mx records), and have had 2 other people verify the correct records.

A brief description of the network...
I have 8 outside IP addresses. xxx.xxx.xxx.160 ~167
Through an asa5505
xxx.xxx.xxx.160 handles ftp ,www, rdp etc... (runs fine)
xxx.xxx.xxx.161 handles the exchange server http, pop3, imap and https (runs fine)
xxx.xxx.xxx.162 smartermail. smtp, pop3, http.  that's where I run into issues. I can send mail outside but cannot receive mail from the outside. I have changed the ip address to 160 doing all but http, and mail flows through. I put the addressing back to 162, and Im back to the original problem. I have called the ISP, and they assure me that port 25 is not blocked¿ however I can't figure this one out.
xxx.xxx.xxx.163 handles statistics for all IPs/servers (runs fine)

part of the access list follows, however I do not block smtp from anything inside, yet. I do like that idea though. I figure I should get this problem solved first, before creating others. LoL

access-list inbound extended permit tcp any host xxx.xxx.xxx.160 eq www
access-list inbound extended permit tcp any host xxx.xxx.xxx.160 eq https
access-list inbound extended permit tcp any host xxx.xxx.xxx.160 eq 3389
access-list inbound extended permit tcp any host xxx.xxx.xxx.160 eq ftp
access-list inbound extended permit tcp any host xxx.xxx.xxx.161 eq https
access-list inbound extended permit tcp any host xxx.xxx.xxx.161 eq smtp
access-list inbound extended permit tcp any host xxx.xxx.xxx.161 eq pop3
access-list inbound extended permit tcp any host xxx.xxx.xxx.161 eq imap4
access-list inbound extended permit tcp any host xxx.xxx.xxx.162 eq www
access-list inbound extended permit tcp any host xxx.xxx.xxx.162 eq smtp
access-list inbound extended permit tcp any host xxx.xxx.xxx.162 eq pop3
access-list inbound extended permit tcp any host xxx.xxx.xxx.163 eq www

static (inside,outside) tcp interface 3389 192.168.1.20 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.30 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.30 https netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.30 ftp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.161 smtp 192.168.1.40 smtp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.161 pop3 192.168.1.40 pop3 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.161 imap4 192.168.1.40 imap4 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.161 https 192.168.1.40 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.162 www 192.168.1.55 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.162 smtp 192.168.1.55 smtp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.162 pop3 192.168.1.55 pop3 netmask 255.255.255.255

If you need more configuration settings, Im not opposed to posting them.

hmm, looks ok to me.
Are you issuing a 'clear xlate' or reloading after the config change? Are you getting any hit counts on the 'access-list inbound extended permit tcp any host xxx.xxx.xxx.162 eq smtp' ACL line? (show access-list inbound)

If you are not getting any hits on that ACL line, It could be the MX records havn't propagated out.  It could somtimes take as long as 6 days depending upon the TTL the registrar placed on the domain.

I havn't worked with the ASA units yet. You might post a pointer to this in the 'routers' area.

Thx TreyH,
Are you issuing a 'clear xlate' or reloading after the config change?

Yes, in order : wr m, clear xlate, clear xlate, wr m, reload [Enter]

Are you getting any hit counts on the 'access-list inbound extended permit tcp any host xxx.xxx.xxx.162 eq smtp' ACL line?

ciscoasa(config)# show access-list inbound
access-list inbound; 12 elements
access-list inbound line 1 extended permit tcp any host xxx.xxx.xxx.160 eq 3389 (hitcnt=35) 0x5e6356ad
access-list inbound line 2 extended permit tcp any host xxx.xxx.xxx.160 eq www (hitcnt=133) 0x4ac1eac0
access-list inbound line 3 extended permit tcp any host xxx.xxx.xxx.160 eq https (hitcnt=2) 0x831ad3e3
access-list inbound line 4 extended permit tcp any host xxx.xxx.xxx.160 eq ftp (hitcnt=0) 0x8c1a914f
access-list inbound line 5 extended permit tcp any host xxx.xxx.xxx.161 eq https (hitcnt=0) 0x71333373
access-list inbound line 6 extended permit tcp any host xxx.xxx.xxx.161 eq smtp (hitcnt=44) 0xb5aecf2d
access-list inbound line 7 extended permit tcp any host xxx.xxx.xxx.161 eq pop3 (hitcnt=35) 0x849b1b65
access-list inbound line 8 extended permit tcp any host xxx.xxx.xxx.161 eq imap4 (hitcnt=0) 0x30dd90d2
access-list inbound line 9 extended permit tcp any host xxx.xxx.xxx.162 eq smtp (hitcnt=24) 0x50907cf3
access-list inbound line 10 extended permit tcp any host xxx.xxx.xxx.162 eq pop3 (hitcnt=1) 0xd0bb77d3
access-list inbound line 12 extended permit tcp any host xxx.xxx.xxx.162 eq www (hitcnt=36) 0x59d42e96
access-list inbound line 11 extended permit tcp any host xxx.xxx.xxx.163 eq www (hitcnt=0) 0xbfcee743
ciscoasa(config)#

"It could somtimes take as long as 6 days depending upon the TTL the registrar placed on the domain"

Have used nslookup, and most cases have seen the propagation in real time. Ping helps too.

I havn't worked with the ASA units yet. You might post a pointer to this in the 'routers' area.

Not to sound & toolish& but how? Repost or is there a special feature with this site that does that with automation?

Follow up; Trying not to look like a tool (probably too late for that), I have been under the assumption (cliche'), that even webmail uses smtp for mail delivery. is this correct? reason I ask...
PCmag.com: "The other mail server may also support web mail, and since all that goes through port 80 (the http port) the ISP won't block it."

Most of the  testing we have done on this issue has been webmail. (webmail to webmail, exchange to webmail, hotmail to webmail....) should I be looking for other ways to test other then telnet which doesn't connect?

You can just create a new question in the 'routers' area, give it 20pts and state that it is a pointer to this question. Include a link to this question in it ...

Think of webmail as just a server side app that you connect to via port 80. When you send email using webmail, the server still sends the mail to another mail server via smtp port 25.

Looks like your getting hits on xxx.xxx.xxx.162 eq smtp, so it should be forwarding.
What about port 110, have you tried telnetting to that from the outside?

Ok,
I need to know why this happens &

A resolution has been made, but I cant figure out what it was.
I have a block of 8 IPs, and mail was pointing to xxx.xxx.xxx.162. So far so good. I could mail out from mail, however could not receive from outside. Could send and receive internally no problem. Tried DNS and it is resolving correctly. I tried completely resetting the cisco asa box, and still did not resolve the issue&
Heres where I resolved the issue&
I moved mail from xxx.xxx.xxx.162 to xxx.xxx.xxx.164, and Boom..  it works fluently. So after testing, and multiple re-configurations, I wanted to try the original IP of 162, and Boom it works now too. What was wrong?
The only thing I can think of is dns& specifically the @ symbol in dns I do not remember the original IP that @ was pointing to, however I know its pointing to the mail IP rather than the domain IP. So points will be awarded however I would still like to know how/why the @ symbol interfered with mail flow.

Thank you.

I awarded 50 points to jar 3817 for the effort, I am not familiar with the point scale so i hope this is ok. I appreciate the help. Thank you, and please follow up with how this was resolved.

The only thing I can think of would be the MX and A records were somehow hosed. The MX records have to point to an A record. They can't point to an IP address. Example:

A Records:
domain.com points to xxx.xxx.xxx.161 (web server)
mail.domain.com points to xxx.xxx.xxx.162 (mail server)
mail2.domain.com points to xxx.xxx.xxx.163 (backup mail server)

The MX records should be:
domain.com. IN MX 0 mail.domain.com.
domain.com. IN MX 30 mail2.domain.com.

So all email destined for @domain.com will first try the server at mail.domain.com and if it is down, they will go to mail2.domain.com

Also, some ISP's DNS servers will respect the TTL (time to live) that is set on the zone file by your registrar. I use register.com and they set my TTL to 540000 which equates out to a little over 6 days. If an ISP's DNS server respects the TTL entry, your MX changes will not be visible to an Email server that uses those DNS servers until the TTL expires. At the same time, an Email server that uses DNS that does not respect the TTL may see the MX changes correctly after only a short time.

The "@" symbol is a wild card. If the DNS server cannot find an matching A or CName record it defaults  to the IP that the primary domain is pointing to. It's a catch all that is used to point all unrecognized sub-domains to the 'domain.com' IP address.

If your MX record was pointing to 'mail.domain.com' and you didn't have an A record for 'mail.domain.com' the email would be directed to the IP address of the "@" record.