Issues receiving mail

I am having issues with smartermail on one of my mail servers.
I can send out mail but cannot receive mail outside the network
Running smartermail 4.3.2831 on Windows server 2003 thru ASA5505
(I have run no fixup protocol smtp 25 as per http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_22815776.html)

access-list inbound extended permit tcp any host xxx.xxx.xxx.162 eq smtp
access-list inbound extended permit tcp any host xxx.xxx.xxx.162 eq pop3
static (inside,outside) tcp xxx.xxx.xxx.162 smtp 192.168.1.55 smtp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.162 pop3 192.168.1.55 pop3 netmask 255.255.255.255

Outside the network:
telnet mail.domain.com 25
220************
telnet xxx.xxx.xxx.162 25
220************
telnet mail.domain.com 110
+ok pop3 server ready
telnet xxx.xxx.xxx.162 110
+ok pop3 server ready

Inside the network:
telnet mail.domain.com 25
220 domain.com
telnet xxx.xxx.xxx.162 25
220 domain.com

Nslookup returns:
Name: Mail.domain.com
Address: xxx.xxx.xxx.162
Set type=mx returns correct information as well.

And netstat shows 192.168.1.55 listening on port 25.
Any help would be great
Thanks.
ultreyaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jar3817Commented:
So you've connected to the smtp server from outside using telnet, but have you tried sending an actual email that way?

telnet mail.domain.com 25
EHLO somehostnamehere.com
MAIL FROM: you@fromaddress.com       (the from address)
RCPT TO: you@domain.com                     (the recipient, some address handled by this system)
DATA
this is the body of your message
.                                                                  (a period on a line by itself will be the end of the message)
quit

You should see things like "sender ok", "recipient ok" and "accepted for delivery" if all goes well and the message should show up in your inbox. If not, paste the errors you get back here so we can figure them out.
0
ultreyaAuthor Commented:
Thanks for responding.
The server can send mail inside and outside, but cannot receive mail from outside.
I connect to the server thru telnet from the outside and receive...
220*********************

cannot type anything after that, however if I hit enter key it does give me the unrecognized command.
0
ultreyaAuthor Commented:
My apologies,
I telent from the outside to the domain/server with issues. I get&
telnet mail.domain.com 25
220************
Ehlo
500 command unrecognized
Helo
500 command unrecognized
Mail from: user@domain.com
500 command unrecognized
[ENTER]
500 command unrecognized
0
INTRODUCING: WatchGuard's New MFA Solution

WatchGuard is proud to announce the launch of AuthPoint, a powerful, yet simple, Cloud-based MFA service designed to eliminate the vulnerabilities that put your data, systems, and users at risk.

jar3817Commented:
strange, unfortunately I'm not familiar with smartmailer...
0
ultreyaAuthor Commented:
Thank you for your response.

That's just it...
I don't believe it to be a smartermail issue, although I could be mistaken. I have had the smartertools team look into what's going on, and have gotten nowhere there as well. They cannot find anything wrong. DNS resolves to the correct addresses, and all records are there. Inside the network mail flows with no issues. however from outside the network it does not make it in. I believe it to be the firewall, however do not know what would be blocking. I have 8 IP addresses one of which is hosting an exchange server, and am having no issues with mail through Exchange. the 3rd IP is smarter mail, and that's where the problem is. Have shut down the Exchange lines in hopes that it would at least open smartermail to the outside. did not work. Have moved smartermail to alternate IP (external). Did not work. Have moved smartermail from one server to another (internal). Did not work. What am I missing, since exchange runs without issues, and smartermail does not? One other factor. Smartermail is running on a virtual server (2005). Have moved it from virtual to a physical server. Did not work. Ideas please?
0
TreyHCommented:
What do the SmarterMail log files tell you? Look at the smtp log file. It should be under the SmarterMail/Logs directory.
0
ultreyaAuthor Commented:
I have enabled detailed logs. However no outside hits on the server. All activity is from inside server(s). It's my understanding that some mail destined for the smartermail server is in a queue on an outside exchange server, and I hope to get those logs Tuesday. With any luck will post them then.

However any other ideas to fill the time would be awesome. :)

Thank you for your time.
0
ultreyaAuthor Commented:
In the meen time, for your reading plaesure. :)
I have a couple of different bounce messages.

<test@smartermailserver.com>:
Sorry, I wasn't able to establish an SMTP connection. (#4.4.1) I'm not going to try again; this message has been in the queue too long.
-----------------------------------------------------------------------------------------

Reporting-MTA: dns;mail.outsidedomain.com
Final-Recipient: rfc822;test@smartermailserver.com
Action: delayed
Status: 4.4.7
Will-Retry-Until: Sun, 27 Jan 2008 17:23:51 -0600
X-Display-Name: test@smartermailserver.com

I have followed up on DNS (a and mx records), and have had 2 other people verify the correct records.
0
TreyHCommented:
If you're not getting a log entry for the outside attempts then you must be right, it's never getting past the firewall. We also run SmarterMail on 2003 svr with a PIX firewall.

Here's the PIX config lines we use for the mail server:
---------------------------------
no fixup protocol smtp 25
access-list outside_in permit tcp any host xx.xx.xx.37 eq 8383
access-list outside_in permit tcp any host xx.xx.xx.37 eq smtp
access-list outside_in permit tcp any host xx.xx.xx.37 eq pop3
static (inside,outside) tcp xx.xx.xx.37 smtp 172.16.2.7 smtp netmask 255.255.255
.255 0 0
static (inside,outside) tcp xx.xx.xx.37 pop3 172.16.2.7 pop3 netmask 255.255.255
.255 0 0
static (inside,outside) tcp xx.xx.xx.37 8383 172.16.2.7 8383 netmask 255.255.255
.255 0 0
access-group outside_in in interface outside
---------------------------------

Are you using the web mail feature of SmarterMail? If so, is it working from the outside/inside? You might also check the firewall config and make sure it is not blocking outbound smtp. We block outbound smtp from all inside machines except for the mail server. Keeps an infected workstation from spamming.

Here's the config lines that block inside smtp except for the mail server.
------------------------------
access-list inside_out remark *** Allow smtp out for internal mail server ***
access-list inside_out permit tcp 172.x.x.x 255.255.255.0 any eq smtp log
access-list inside_out remark *** Deny access out on port 25 to all others ***
access-list inside_out deny tcp any any eq smtp log
access-group inside_out in interface inside
------------------------------
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ultreyaAuthor Commented:
A brief description of the network...
I have 8 outside IP addresses. xxx.xxx.xxx.160 ~167
Through an asa5505
xxx.xxx.xxx.160 handles ftp ,www, rdp etc... (runs fine)
xxx.xxx.xxx.161 handles the exchange server http, pop3, imap and https (runs fine)
xxx.xxx.xxx.162 smartermail. smtp, pop3, http.  that's where I run into issues. I can send mail outside but cannot receive mail from the outside. I have changed the ip address to 160 doing all but http, and mail flows through. I put the addressing back to 162, and Im back to the original problem. I have called the ISP, and they assure me that port 25 is not blocked¿ however I can't figure this one out.
xxx.xxx.xxx.163 handles statistics for all IPs/servers (runs fine)

part of the access list follows, however I do not block smtp from anything inside, yet. I do like that idea though. I figure I should get this problem solved first, before creating others. LoL

access-list inbound extended permit tcp any host xxx.xxx.xxx.160 eq www
access-list inbound extended permit tcp any host xxx.xxx.xxx.160 eq https
access-list inbound extended permit tcp any host xxx.xxx.xxx.160 eq 3389
access-list inbound extended permit tcp any host xxx.xxx.xxx.160 eq ftp
access-list inbound extended permit tcp any host xxx.xxx.xxx.161 eq https
access-list inbound extended permit tcp any host xxx.xxx.xxx.161 eq smtp
access-list inbound extended permit tcp any host xxx.xxx.xxx.161 eq pop3
access-list inbound extended permit tcp any host xxx.xxx.xxx.161 eq imap4
access-list inbound extended permit tcp any host xxx.xxx.xxx.162 eq www
access-list inbound extended permit tcp any host xxx.xxx.xxx.162 eq smtp
access-list inbound extended permit tcp any host xxx.xxx.xxx.162 eq pop3
access-list inbound extended permit tcp any host xxx.xxx.xxx.163 eq www

static (inside,outside) tcp interface 3389 192.168.1.20 3389 netmask 255.255.255.255
static (inside,outside) tcp interface www 192.168.1.30 www netmask 255.255.255.255
static (inside,outside) tcp interface https 192.168.1.30 https netmask 255.255.255.255
static (inside,outside) tcp interface ftp 192.168.1.30 ftp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.161 smtp 192.168.1.40 smtp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.161 pop3 192.168.1.40 pop3 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.161 imap4 192.168.1.40 imap4 netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.161 https 192.168.1.40 https netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.162 www 192.168.1.55 www netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.162 smtp 192.168.1.55 smtp netmask 255.255.255.255
static (inside,outside) tcp xxx.xxx.xxx.162 pop3 192.168.1.55 pop3 netmask 255.255.255.255

If you need more configuration settings, Im not opposed to posting them.
0
TreyHCommented:
hmm, looks ok to me.
Are you issuing a 'clear xlate' or reloading after the config change? Are you getting any hit counts on the 'access-list inbound extended permit tcp any host xxx.xxx.xxx.162 eq smtp' ACL line? (show access-list inbound)

If you are not getting any hits on that ACL line, It could be the MX records havn't propagated out.  It could somtimes take as long as 6 days depending upon the TTL the registrar placed on the domain.

I havn't worked with the ASA units yet. You might post a pointer to this in the 'routers' area.

0
ultreyaAuthor Commented:
Thx TreyH,
Are you issuing a 'clear xlate' or reloading after the config change?

Yes, in order : wr m, clear xlate, clear xlate, wr m, reload [Enter]

Are you getting any hit counts on the 'access-list inbound extended permit tcp any host xxx.xxx.xxx.162 eq smtp' ACL line?

ciscoasa(config)# show access-list inbound
access-list inbound; 12 elements
access-list inbound line 1 extended permit tcp any host xxx.xxx.xxx.160 eq 3389 (hitcnt=35) 0x5e6356ad
access-list inbound line 2 extended permit tcp any host xxx.xxx.xxx.160 eq www (hitcnt=133) 0x4ac1eac0
access-list inbound line 3 extended permit tcp any host xxx.xxx.xxx.160 eq https (hitcnt=2) 0x831ad3e3
access-list inbound line 4 extended permit tcp any host xxx.xxx.xxx.160 eq ftp (hitcnt=0) 0x8c1a914f
access-list inbound line 5 extended permit tcp any host xxx.xxx.xxx.161 eq https (hitcnt=0) 0x71333373
access-list inbound line 6 extended permit tcp any host xxx.xxx.xxx.161 eq smtp (hitcnt=44) 0xb5aecf2d
access-list inbound line 7 extended permit tcp any host xxx.xxx.xxx.161 eq pop3 (hitcnt=35) 0x849b1b65
access-list inbound line 8 extended permit tcp any host xxx.xxx.xxx.161 eq imap4 (hitcnt=0) 0x30dd90d2
access-list inbound line 9 extended permit tcp any host xxx.xxx.xxx.162 eq smtp (hitcnt=24) 0x50907cf3
access-list inbound line 10 extended permit tcp any host xxx.xxx.xxx.162 eq pop3 (hitcnt=1) 0xd0bb77d3
access-list inbound line 12 extended permit tcp any host xxx.xxx.xxx.162 eq www (hitcnt=36) 0x59d42e96
access-list inbound line 11 extended permit tcp any host xxx.xxx.xxx.163 eq www (hitcnt=0) 0xbfcee743
ciscoasa(config)#

"It could somtimes take as long as 6 days depending upon the TTL the registrar placed on the domain"

Have used nslookup, and most cases have seen the propagation in real time. Ping helps too.

I havn't worked with the ASA units yet. You might post a pointer to this in the 'routers' area.

Not to sound & toolish& but how? Repost or is there a special feature with this site that does that with automation?

Follow up; Trying not to look like a tool (probably too late for that), I have been under the assumption (cliche'), that even webmail uses smtp for mail delivery. is this correct? reason I ask...
PCmag.com: "The other mail server may also support web mail, and since all that goes through port 80 (the http port) the ISP won't block it."

Most of the  testing we have done on this issue has been webmail. (webmail to webmail, exchange to webmail, hotmail to webmail....) should I be looking for other ways to test other then telnet which doesn't connect?
0
TreyHCommented:
You can just create a new question in the 'routers' area, give it 20pts and state that it is a pointer to this question. Include a link to this question in it ...

Think of webmail as just a server side app that you connect to via port 80. When you send email using webmail, the server still sends the mail to another mail server via smtp port 25.

Looks like your getting hits on xxx.xxx.xxx.162 eq smtp, so it should be forwarding.
What about port 110, have you tried telnetting to that from the outside?
0
ultreyaAuthor Commented:
Ok,
I need to know why this happens &

A resolution has been made, but I cant figure out what it was.
I have a block of 8 IPs, and mail was pointing to xxx.xxx.xxx.162. So far so good. I could mail out from mail, however could not receive from outside. Could send and receive internally no problem. Tried DNS and it is resolving correctly. I tried completely resetting the cisco asa box, and still did not resolve the issue&
Heres where I resolved the issue&
I moved mail from xxx.xxx.xxx.162 to xxx.xxx.xxx.164, and Boom..  it works fluently. So after testing, and multiple re-configurations, I wanted to try the original IP of 162, and Boom it works now too. What was wrong?
The only thing I can think of is dns& specifically the @ symbol in dns I do not remember the original IP that @ was pointing to, however I know its pointing to the mail IP rather than the domain IP. So points will be awarded however I would still like to know how/why the @ symbol interfered with mail flow.

Thank you.
0
ultreyaAuthor Commented:
I awarded 50 points to jar 3817 for the effort, I am not familiar with the point scale so i hope this is ok. I appreciate the help. Thank you, and please follow up with how this was resolved.
0
TreyHCommented:
The only thing I can think of would be the MX and A records were somehow hosed. The MX records have to point to an A record. They can't point to an IP address. Example:

A Records:
domain.com points to xxx.xxx.xxx.161 (web server)
mail.domain.com points to xxx.xxx.xxx.162 (mail server)
mail2.domain.com points to xxx.xxx.xxx.163 (backup mail server)

The MX records should be:
domain.com. IN MX 0 mail.domain.com.
domain.com. IN MX 30 mail2.domain.com.

So all email destined for @domain.com will first try the server at mail.domain.com and if it is down, they will go to mail2.domain.com

Also, some ISP's DNS servers will respect the TTL (time to live) that is set on the zone file by your registrar. I use register.com and they set my TTL to 540000 which equates out to a little over 6 days. If an ISP's DNS server respects the TTL entry, your MX changes will not be visible to an Email server that uses those DNS servers until the TTL expires. At the same time, an Email server that uses DNS that does not respect the TTL may see the MX changes correctly after only a short time.

The "@" symbol is a wild card. If the DNS server cannot find an matching A or CName record it defaults  to the IP that the primary domain is pointing to. It's a catch all that is used to point all unrecognized sub-domains to the 'domain.com' IP address.

If your MX record was pointing to 'mail.domain.com' and you didn't have an A record for 'mail.domain.com' the email would be directed to the IP address of the "@" record.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Protocols

From novice to tech pro — start learning today.