Solved

SBS 2003 Port 25 Outbound Blocked

Posted on 2011-02-10
28
1,076 Views
Last Modified: 2013-11-30
I have an SBS 2003 server that has suddenly stopped sending email.
Outbound messages are hung in the queue. Inbound email is fine.
I cannot telnet to port 25 on other public smtp servers from SBS, but I can telnet to port 25
from other machines / servers within the network to other external servers. AV has been temporarily removed from
the server. I've used netstat to look for other software that may be blocking the port, but
nothing obvious.
0
Comment
Question by:Taildragger61
  • 11
  • 11
  • 5
28 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34864141
Call your ISP and ask them why they have blocked the port - and if they can't unblock it, you will have to ask them what port you can use to send mail to their Smarthost Mail server, then configure your server to use that port and then change your SMTP Connector to use their SMARTHOST not DNS to route mail.

Outbound Port is configured on the SMTP Virtual Server> Delivery Tab> Outbound Connection Button.  Change the port in there and then restart the SMTP Service.
0
 

Author Comment

by:Taildragger61
ID: 34864163
I contacted the ISP first, and they said they weren't blocking it - which makes sense since I am able to telnet to port 25 outbound from other devices within the network, just not the SBS server.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34864183
If you can't telnet to external server on port 25 then either they are blocking TCP port 25 outbound as a security measure and are either ignorant about this (1st line usually are), or a not telling you the truth!

Try to telnet to my mail server from your server:

telnet mail.mydomain.co.uk 25

telnet 188.220.xxx.xxx 25

Do either work?  Do you see my servername blinking back at you?
0
 

Author Comment

by:Taildragger61
ID: 34864212
Both work from my workstation, but neither work when logged on to the server...
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34864227
Okay - can you re-run the Connect to the Internet Wizard please.  Change nothing and let the wizard complete.  If it errors the first time - run it again.

Start> Server Manager> To-Do List> Connect to the Internet.

Any joy now?
0
 

Author Comment

by:Taildragger61
ID: 34864242
I've already tried that - error free.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34864257
Okay - and no change to the mail-flow?

Has someone blocked TCP Port 25 outbound for the server on your firewall / router when they should have been blocking TCP port 25 outbound for all IP's other than the server?
0
 

Author Comment

by:Taildragger61
ID: 34864303
We're running a SonicWall, and currently there is only the one default rule from the LAN to WAN zones - allow anything - anytime. It's curious that this happened after patch Tuesday - looking to see what was installed now, but I don't have this problem anywhere else.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34864324
Was the patch to the server or the Sonicwall?

If the server - what was the patch that was applied?
0
 

Author Comment

by:Taildragger61
ID: 34864372
The patches would have been on the server. This isn't a system I normally take care of, and the updates are set to download, but not install. Nothing new was installed.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 34864378
Have you rebooted SINCE the patches are aplied?
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34864385
Can you look in the Control Panel> Add/Remove Programs and advise what patches were installed recently please.
0
 

Author Comment

by:Taildragger61
ID: 34864402
Nothing new has been installed since 12/2010.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 37

Expert Comment

by:Neil Russell
ID: 34864404
I assume you are getting inbound emails?
I assume you can browse the web from the server?
0
 

Author Comment

by:Taildragger61
ID: 34864454
Yes, inbound email is fine and browsing is fine. I can telnet to other ports on external servers from the SBS box such as 3389, 21, 80, 443, etc. just not 25.
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 34864645
Then i would be starting with a full AV and malware scan. Have you tried telnet to port 25 on the sbs box itself?

Thats from a dos box ON the sbs box telnet TO the sbs box on port 25.

0
 

Author Comment

by:Taildragger61
ID: 34864657
Yes, I can telnet to port 25 on the local box, and inbound email is not affected - just outbound.
0
 
LVL 37

Accepted Solution

by:
Neil Russell earned 250 total points
ID: 34864885
And can you telnet to port 25 on any other INTERNAL computer?
If so it sounds like your being blocked by your firewall maybe?
0
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
ID: 34865575
>> Nothing new has been installed since 12/2010 <<

So if nothing new has been installed since 12/2010 - what are the patches that were installed?

Sounds like a blockage internally - either with the server firewall or the router firewall.
0
 

Author Comment

by:Taildragger61
ID: 34866119
I'll have to give this one to NeilSR.
The only thing different from a firewall perspective is that the server had several inbound NAT policies applied at the firewall.
I set RDP on my laptop to listen on port 25, and yes, I could telenet to it from the server. I decided to rip the NAT policies out of the firewall and test it that way. When I attempted to remove the service group assigned to the server, I received an error message saying it was still in use - but it wasn't listed in the rules where the error said it was. I defaulted the firewall and started over. All is well. Thanks everyone for all the help!
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34866133
Don't forget my comment here: http:#a34864257
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34866166
So my earlier comment about the firewall posted an hour before Neil's comment is not relevant here?
0
 
LVL 37

Expert Comment

by:Neil Russell
ID: 34866231
I agree with Alan, i think we both put in as much effort as each other and a fair split would be in order.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34866290
RFA Raised.

Alan
0
 

Author Comment

by:Taildragger61
ID: 34866312
Truth be known, I had the problem well in hand before I received neilsr's comment, but hey, you guys spent time trying to help and it was much appreciated. I have no idea what these points are worth to you guys, but tell me how to split them after the fact, and I'll do whatever you want.
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 34866382
It's not really about the points (for me at least - I have a few under my belt) - it is more about getting the correct comments accepted in the database and not overlooking a comment that seems to address the problem nicely, based on your closing comment but that got overlooked during the closure.

Also, as the only reward we get for participating on EE is points and the occasional T-Shirt when we get a certain number of points in a zone.  we are all volunteers here and give up our spare time to help answer questions, so it can feel a bit like a slap in the face if a comment that addresses the problem gets overlooked.

Also, if you had the problem well in hand before Neil's comment, then it would suggest to me that I pointed you in the right direction and not Neil!

At the end of the day - the fact that you have a solution is the important bit but I feel a fairer closure would have been to at the very least split the points for both comments about the firewall being the problem.


Alan
0
 

Author Closing Comment

by:Taildragger61
ID: 34899611
All of these solutions were partially complete, but headed down the right path. The firewall was not misconfigured, but the settings were corrupt. The firewall had to be reset and re-flashed with backup settings.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now