Avatar of Shannon Mollenhauer
Shannon MollenhauerFlag for United States of America asked on

Win SBS2008 Exchange inbound mail not flowing after replacing Cisco ASA5505

Strangest circumstances. Cisco ASA went dead a few days ago. Ordered replacement via Smartnet. While waiting for replacement, reconfigured Linksys WRT54G to be router/gateway and set port 25 forwarding to reach SBS2008 server where email runs. Mail flowing okay.

Received and configured ASA using backup copy of old device config. Put linksys back in "just a wireless AP and switch" mode and tested all connectivity. Internet access works. I can create emails and send OUTBOUND. However, inbound and replies to sent mail on Internet are failing to receive on the server.

The Exchange MFA says "Error submitting mail. Mail submission failed: Error message: Server does not support secure connections.." during mail acceptance tests.

Is there a conflict somewhere in the ASA or the SBS server because the hardware changed?
ExchangeSBSCisco

Avatar of undefined
Last Comment
Shannon Mollenhauer

8/22/2022 - Mon
Alan Hardisty

Please visit www.canyouseeme.org and check / test port 25 to see if you get a Success message.
James

Sounds like port 25 is not open. Another way of testing to see if port 25 is open is to use telnet command. Go to Start>run>cmd and then click ok. In the dos screen type telnet mail.mydomain.com 25 and you will be able to verify if port 25 is open. Alternatively you can use telnet to telnet on to your public ip address eg: telnet 200.54.207.94 25
ASKER
Shannon Mollenhauer

I can telnet to 25 from the LAN. I also know that the problem only started after I installed the replacement Cisco ASA5505 and restored a backup config. I checked the firewall rules and SMTP traffic is allowed and directed to the mail server.

I just heard from a remote user that VPN connection is not working, so I'm thinking that something didn't restore properly when I loaded the running config.

No changes were made to the SBS server or Exchange during these problems, so it must be a firewall deal.
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER
Shannon Mollenhauer

I also just verified - canyouseeme.org using port 25 and it says the port is open.
Alan Hardisty

Have you got ESMTP Inspect enabled on the ASA device?  If you have make sure you disable it and test again.
ASKER
Shannon Mollenhauer

I am looking at the Inspect Maps page for ESMTP on the ASDM and there are no entries.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Alan Hardisty

Can you divulge your domain name for some testing (which I will immediately obscure)?
ASKER
Shannon Mollenhauer

Additional info:

regarding the esmtp - I noticed in some cisco forums discussion of this - saw the inspect esmtp was part of global default policy and then looked at my own config (which I will post shortly) - disabled it, but that made no difference.

Alan Hardisty

Checks running - back shortly.
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
ASKER CERTIFIED SOLUTION
Alan Hardisty

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Shannon Mollenhauer

Yes, we have dynamic IP because we're on Comcast cable. We only have one public IP.

I will check our DynDNS settings - maybe they're goofed up.
ASKER
Shannon Mollenhauer

These two lines of questioning led me to realize that my DYNDNS was not working correctly. I loaded the DNS Updater client on my server since Cisco ASA does not update automatically, and the NEW IP (received when I had swapped the temporary router) was updated in my host records. Thank you to everyone who worked on figuring this out!