Solved

Problem with firewall accepting mail

Posted on 2011-03-24
17
733 Views
Last Modified: 2012-05-11
We recently moved to new office.  I had a consultant set up the firewall.  He was supposed to configure it exactly as the old one.  He didn't and now he can not be reached.
Our MX record points to a SPAM filtering company.  They then send our mail to us.  For the first day they could not send us any mail.  Then I finally got the consultant to put in a change to fix it.  This morning I received this message from the SPAM company.

Still having issues delivering mail to your server consistently.  I currently have 85 messages in queue for your domain.  They have been slowly climbing.  

I see most mail is going through ok but some seems to be getting an error from your server/firewall:
 
2011-03-23T16:34:40.351358-04:00 dpout01 postfix/smtp[417]: 4E9E41C781FB: to=<drocha@rgrayclamps.com>, relay=mail.rgrayclamps.com[12.204.121.3]:25, delay=1013, delays=680/0/0.1/333, dsn=4.4.2, status=deferred (lost connection with mail.rgrayclamps.com[12.204.121.3] while sending end of data -- message may be sent more than once)
 
If you have ‘smtp fixup’ set on your firewall, you will want to disable that, it definitely could cause these types of issues.

I do not have smtp fixup set on the firewall.
0
Comment
Question by:jtennyson
  • 7
  • 7
17 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206340
Hi there :)

Could be a number of things so let's see. Looking at the config from your previous question I see no smtp fixup indeed. By the way, it is called 'inspect' in the ASA.
You do have an inspect esmtp which might be the issue.

On the other hand I see that you are only allowing smtp traffic in from a number of ip ranges. Are you sure that all the ip addresses from where your SPAM filtering company could send you mail are covered?
0
 

Author Comment

by:jtennyson
ID: 35206371
I am going to check with them right now.
0
 

Author Comment

by:jtennyson
ID: 35206401
The company is in California so I am sure they will not be in for a couple of hours.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206437
Always nice, different timezones :)

Allright, let's just wait then for now and let me know when they are in.
0
 

Author Comment

by:jtennyson
ID: 35206514
They did get back to me and they said those are the correct addresses.

access-list internet extended permit tcp 64.19.188.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 any eq smtp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 any eq smtp
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 35206588
Ok, in that case let's remove the line 'inspect esmtp'. That's used for smtp and esmtp. See if that helps.

To remove it:

conf t
policy-map global_policy
class inspection_default
no inspect esmtp
exit


Oh, it might be an idea to change those lines to:

access-list internet extended permit tcp 64.19.188.16 255.255.255.240 host 12.204.121.3 eq smtp
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 host 12.204.121.3 eq smtp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 host 12.204.121.3 eq smtp

Assuming 12.204.121.3 is the public address of the mailserver and the only host where you would want to allow smtp connections to.
0
 

Author Comment

by:jtennyson
ID: 35206776
Thanks again.  I made the changes and will let you know what happens.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206787
I'll be here :)
0
 

Author Comment

by:jtennyson
ID: 35206822
Should I reboot the firewall?
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
ID: 35206871
disabling ESMTP Inspection should solve the issue...
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35206880
Not really. Those changes should be effective immediatly.
0
 

Author Closing Comment

by:jtennyson
ID: 35209339
Once again you are the best.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35209378
Thx, only I'm afraid you awarded the wrong one :-(
0
 

Author Closing Comment

by:jtennyson
ID: 35223017
I'm so sorry.  I would double the points for you if I could.  I hope your reading on Monday I will need more help.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35223156
Never mind, I was convinced it wasn't your intention.
See you on monday :)
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question