?
Solved

Problem with firewall accepting mail

Posted on 2011-03-24
17
Medium Priority
?
740 Views
Last Modified: 2012-05-11
We recently moved to new office.  I had a consultant set up the firewall.  He was supposed to configure it exactly as the old one.  He didn't and now he can not be reached.
Our MX record points to a SPAM filtering company.  They then send our mail to us.  For the first day they could not send us any mail.  Then I finally got the consultant to put in a change to fix it.  This morning I received this message from the SPAM company.

Still having issues delivering mail to your server consistently.  I currently have 85 messages in queue for your domain.  They have been slowly climbing.  

I see most mail is going through ok but some seems to be getting an error from your server/firewall:
 
2011-03-23T16:34:40.351358-04:00 dpout01 postfix/smtp[417]: 4E9E41C781FB: to=<drocha@rgrayclamps.com>, relay=mail.rgrayclamps.com[12.204.121.3]:25, delay=1013, delays=680/0/0.1/333, dsn=4.4.2, status=deferred (lost connection with mail.rgrayclamps.com[12.204.121.3] while sending end of data -- message may be sent more than once)
 
If you have ‘smtp fixup’ set on your firewall, you will want to disable that, it definitely could cause these types of issues.

I do not have smtp fixup set on the firewall.
0
Comment
Question by:jtennyson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 7
17 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206340
Hi there :)

Could be a number of things so let's see. Looking at the config from your previous question I see no smtp fixup indeed. By the way, it is called 'inspect' in the ASA.
You do have an inspect esmtp which might be the issue.

On the other hand I see that you are only allowing smtp traffic in from a number of ip ranges. Are you sure that all the ip addresses from where your SPAM filtering company could send you mail are covered?
0
 

Author Comment

by:jtennyson
ID: 35206371
I am going to check with them right now.
0
 

Author Comment

by:jtennyson
ID: 35206401
The company is in California so I am sure they will not be in for a couple of hours.
0
Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206437
Always nice, different timezones :)

Allright, let's just wait then for now and let me know when they are in.
0
 

Author Comment

by:jtennyson
ID: 35206514
They did get back to me and they said those are the correct addresses.

access-list internet extended permit tcp 64.19.188.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 any eq smtp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 any eq smtp
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 35206588
Ok, in that case let's remove the line 'inspect esmtp'. That's used for smtp and esmtp. See if that helps.

To remove it:

conf t
policy-map global_policy
class inspection_default
no inspect esmtp
exit


Oh, it might be an idea to change those lines to:

access-list internet extended permit tcp 64.19.188.16 255.255.255.240 host 12.204.121.3 eq smtp
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 host 12.204.121.3 eq smtp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 host 12.204.121.3 eq smtp

Assuming 12.204.121.3 is the public address of the mailserver and the only host where you would want to allow smtp connections to.
0
 

Author Comment

by:jtennyson
ID: 35206776
Thanks again.  I made the changes and will let you know what happens.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206787
I'll be here :)
0
 

Author Comment

by:jtennyson
ID: 35206822
Should I reboot the firewall?
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 35206871
disabling ESMTP Inspection should solve the issue...
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206880
Not really. Those changes should be effective immediatly.
0
 

Author Closing Comment

by:jtennyson
ID: 35209339
Once again you are the best.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35209378
Thx, only I'm afraid you awarded the wrong one :-(
0
 

Author Closing Comment

by:jtennyson
ID: 35223017
I'm so sorry.  I would double the points for you if I could.  I hope your reading on Monday I will need more help.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35223156
Never mind, I was convinced it wasn't your intention.
See you on monday :)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question