Solved

Problem with firewall accepting mail

Posted on 2011-03-24
17
730 Views
Last Modified: 2012-05-11
We recently moved to new office.  I had a consultant set up the firewall.  He was supposed to configure it exactly as the old one.  He didn't and now he can not be reached.
Our MX record points to a SPAM filtering company.  They then send our mail to us.  For the first day they could not send us any mail.  Then I finally got the consultant to put in a change to fix it.  This morning I received this message from the SPAM company.

Still having issues delivering mail to your server consistently.  I currently have 85 messages in queue for your domain.  They have been slowly climbing.  

I see most mail is going through ok but some seems to be getting an error from your server/firewall:
 
2011-03-23T16:34:40.351358-04:00 dpout01 postfix/smtp[417]: 4E9E41C781FB: to=<drocha@rgrayclamps.com>, relay=mail.rgrayclamps.com[12.204.121.3]:25, delay=1013, delays=680/0/0.1/333, dsn=4.4.2, status=deferred (lost connection with mail.rgrayclamps.com[12.204.121.3] while sending end of data -- message may be sent more than once)
 
If you have ‘smtp fixup’ set on your firewall, you will want to disable that, it definitely could cause these types of issues.

I do not have smtp fixup set on the firewall.
0
Comment
Question by:jtennyson
  • 7
  • 7
17 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Hi there :)

Could be a number of things so let's see. Looking at the config from your previous question I see no smtp fixup indeed. By the way, it is called 'inspect' in the ASA.
You do have an inspect esmtp which might be the issue.

On the other hand I see that you are only allowing smtp traffic in from a number of ip ranges. Are you sure that all the ip addresses from where your SPAM filtering company could send you mail are covered?
0
 

Author Comment

by:jtennyson
Comment Utility
I am going to check with them right now.
0
 

Author Comment

by:jtennyson
Comment Utility
The company is in California so I am sure they will not be in for a couple of hours.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Always nice, different timezones :)

Allright, let's just wait then for now and let me know when they are in.
0
 

Author Comment

by:jtennyson
Comment Utility
They did get back to me and they said those are the correct addresses.

access-list internet extended permit tcp 64.19.188.16 255.255.255.240 any eq smtp
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 any eq smtp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 any eq smtp
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
Ok, in that case let's remove the line 'inspect esmtp'. That's used for smtp and esmtp. See if that helps.

To remove it:

conf t
policy-map global_policy
class inspection_default
no inspect esmtp
exit


Oh, it might be an idea to change those lines to:

access-list internet extended permit tcp 64.19.188.16 255.255.255.240 host 12.204.121.3 eq smtp
access-list internet extended permit tcp 206.188.13.128 255.255.255.240 host 12.204.121.3 eq smtp
access-list internet extended permit tcp 4.78.136.16 255.255.255.240 host 12.204.121.3 eq smtp

Assuming 12.204.121.3 is the public address of the mailserver and the only host where you would want to allow smtp connections to.
0
 

Author Comment

by:jtennyson
Comment Utility
Thanks again.  I made the changes and will let you know what happens.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
I'll be here :)
0
 

Author Comment

by:jtennyson
Comment Utility
Should I reboot the firewall?
0
 
LVL 5

Expert Comment

by:shubhanshu_jaiswal
Comment Utility
disabling ESMTP Inspection should solve the issue...
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Not really. Those changes should be effective immediatly.
0
 

Author Closing Comment

by:jtennyson
Comment Utility
Once again you are the best.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Thx, only I'm afraid you awarded the wrong one :-(
0
 

Author Closing Comment

by:jtennyson
Comment Utility
I'm so sorry.  I would double the points for you if I could.  I hope your reading on Monday I will need more help.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Never mind, I was convinced it wasn't your intention.
See you on monday :)
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
This article assumes you have at least one Cisco ASA or PIX configured with working internet and a non-dynamic, public, address on the outside interface. If you need instructions on how to enable your device for internet, or basic configuration info…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now